Uploaded documents are displayed in SAP Fiori apps without further security-related checks. If a document contains malicious content, unintended actions could be triggered at the front end during download or display, which might lead to cross-site scripting vulnerabilities. Various SAP Fiori apps offer the possibility to upload or display documents. If you use one of these apps, you have to install an appropriate virus scanner and define sufficiently restrictive scan profiles to prevent upload of malicious content.
Scan Profiles for SAP Fiori Applications
The virus scanner will reject all documents that are not compliant with the rules defined in the settings of the scan profile. These rules need to disallow dangerous MIME types (such as documents with active content like html or javascript).
The documents are checked with a scan profile before being stored in the Knowledge Provider (KPro). The following scan profiles are available for the SAP Fiori apps offering the possibility to upload or display documents:
Area |
Scan Profile |
---|---|
Standard |
/SCMS/KPRO_CREATE |
SAP Master Data Governance |
/MDG_BS_FILE_UPLOAD/MDG_VSCAN |
For the SAP Fiori apps My Quotations and Sales Order Fulfillment Monitor, you can overrule the standard scan profile with the following settings (evaluated from top to bottom until a profile is found):
Value of parameter &GOS_VPROFILE from memory id &GOS_VSI_PROFILE
Value of parameter &BCS_VPROFILE from memory id &BCS_VSI_PROFILE
Value in field VALUE for the record in table SXPARAMS with key PARAM = SO_VSI_PROFILE
For more information about the configuration for SAP NetWeaver 7.31, see the SAP Help Portal at http://help.sap.com/nw731 .
For more information about the configuration for SAP NetWeaver 7.40, see the SAP Help Portal at http://help.sap.com/nw74 .
You can find additional information in the SAP Notes 786179 and 1494278 .