SAP Knowledge Base Article - Preview

3143650 - The logoff parameter redirecturl is marked as a security vulnerability

Symptom

Security scans may mark the ICF logoff parameter redirecturl as a security vulnerability. This is because the redirecturl parameter can be used to redirect the victim to a malicious URL.

Example:
https://<host>:<port>/sap/public/bc/icf/logoff?redirecturl=https://my.malicious.url

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.


Read more...

Environment

  • SAP NetWeaver
  • SAP NetWeaver Application Server for SAP S/4HANA
  • ABAP PLATFORM - Application Server ABAP

Product

ABAP platform all versions ; SAP NetWeaver all versions ; SAP Web Application Server for SAP S/4HANA all versions

Keywords

ICF, Internet Communication Framework, SICF, Service, Services, ICF service, ICF_GDPR, ICF_STD, ICF logoff service vulnerability, security team, redirectURL, url for redirect, allowlist, http_whitelist, se16, ucon, uconcockpit, logoff service, Trusted Network Zone, entry type 21, ucon_chw, open redirect, vulnerability, Open-Redirect vulnerability, logoff endpoint, re-direct, sanitize redirection , KBA , BC-MID-ICF , Internet Communication Framework , BC-MID-ICF-LGN , ICF System Login , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.