SAP Knowledge Base Article - Preview

3500715 - Restrict Anonymous access to Portal content objects

Symptom

An external security researcher reported that the portal objects is accessible to any user without administrator or relevant roles assigned

For example, any end user can access the below url

https://<hostname>/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fevery_user!2fgeneral!2fcom.sap.workflow.ui.jwf!2fcom.sap.workflow.ui.WorkflowWizard?WebDynproApplication=WizardApplication&WebDynproDeployableObject=sap.com%2Ftc~eu~jwf~ui~wizard_jwf&System=SAP_LocalSystem&DynamicParameter=type%3Dtasklist%26roomrid%3D%26ContextContainerId%3D0.43579464679334381681938163800%26isnewwindow%3D1

Similarly end users have access to the below portal objects as well

irj/portalapps*
irj/portal*
irj/servlet/prt*
irj/go/km*


Read more...

Environment

SAP Netweaver Enterprise Portal
Release independent

Product

SAP NetWeaver all versions

Keywords

KBA , EP-PIN-SEC-PER , Portal content ACL permissions (Roles, Pages...) , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.