SAP Knowledge Base Article - Preview

2447490 - JSESSIONID "vulnerabilities" in SAP BusinessObjects XI 3.1 / 4.0 / 4.1 / 4.2 / 4.3

Symptom

Running AppScan on BusinessObjects Business Intelligence shows vulnerabilities related to JSESSIONID exploits, such as "Session Fixation", and "No proper logout functionality".

  • Session Fixation:
    The JSESSIONID does not change after a successful login in BI Launchpad and going from the login page to the BI Launchpad Home Page or CMC Home page.
  • No Proper Logout Functionality:
    The JSESSIONID does not change after logging of from BI Launchpad or CMC.


Read more...

Environment

  • SAP BusinessObjects Enterprise XI 3.1
  • SAP BusinessObjects Business Intelligence 4.x

Product

SAP BusinessObjects Business Intelligence platform 4.0 ; SAP BusinessObjects Business Intelligence platform 4.1 ; SAP BusinessObjects Business Intelligence platform 4.2 ; SAP BusinessObjects Enterprise XI 3.1

Keywords

JSESSIONID, vulnerability, exploit, appscan, BI 4.0, BI 4.1, BI 4.2, session fixation, no proper logout fucntionality , KBA , BI-BIP-DEP , Webapp Deployment, Networking, Vulnerabilities, Webservices , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.