ABSTRACT

Without proper authorization checks, the program may allow an unauthorized user to start a restricted transaction.

EXPLANATION

The ABAP program can start a new transaction by calling the CALL TRANSACTION command. If there is no authorization check perormed before the call, the user running the ABAB program will be able to start a transaction that otherwise may be restricted to this user.

Example 1: The following code calls a transaction that starts the ABAP editor.


...
CALL TRANSACTION 'SE38' USING BDCDATA MODE 'N'
MESSAGES INTO MESSTAB.
...


In this case, an otherwise unauthorized user running the code may be able to start the ABAP editor and inject arbitrary code into the SAP system.

REFERENCES

[1] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A10 Failure to Restrict URL Access

[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control

[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A8 Failure to Restrict URL Access

[4] Standards Mapping - FIPS200 - (FISMA) AC

[5] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I

[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 285

[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Insufficient Authorization

[8] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Porous Defenses - CWE ID 285

[9] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Porous Defenses - CWE ID 285

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.2

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.4

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.8