cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ITS security issue when download, execute program warning

Go to solution
Former Member

on ‎02-02-2016 7:55 AM

0 Kudos

Hi Emre,

Thanks a lot for taking your time to reply.

Although i dont know how to set JAVABEAN attribute, but i have done lot of debugging to the function call cl_gui_frontend_service=>execute from the SAP WebGui, and i could not find this attribute being checked. In my case following code is the real code executed:

CALL METHOD OF doc-obj 'ExecuteEx'

       EXPORTING #1 = mcommandline

                 #2 = mprogram

                 #3 = mOperation.


in Include LSIT1O01 line 480. This starts an applet for execution of a commandline. Java console says all ok, but then this popup comes:

BR

SSA

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

cris_hansen
Advisor
Advisor
‎02-04-2016 4:04 PM
0 Kudos

Hello Salman,

Please read SAP note 1555523. You will need to adjust the white list in webgui.cfg for the proper external executable execution. I hope this helps.

Regards,

Cris

Show replies
Show replies
Former Member
‎02-05-2016 12:19 PM
0 Kudos

Thanks Cristiano, issue resolved.

With the help of note 1555523, i was able to put right enteries in WEBGUI.cfg.

The contents of webgui.cfg are:

FILE_EXECUTE_EXECUTABLE_ALLOWED=C:\Windows\System32\cscript.exe;

FILE_EXECUTE_EXTENSIONS_ALLOWED=exe;vbs

note that in white list, i had to provide complete path of the application executable.

Regards

Salman

Answers (2)

Answers (2)

Former Member
‎03-10-2016 9:35 AM
0 Kudos

Hi Salman,

I've got a similar problem.

If you allow the "exe" extension, than EVERY exe is allowed to be executed, not just the one you specified with FILE_EXECUTE_EXECUTABLE_ALLOWED. At least in our scenario.

Is there a solution, where you can allow just specific exe files?

regards

Martin

Show replies
Show replies
Former Member
‎03-10-2016 11:08 AM
0 Kudos

Hi Martin,

have you tired commenting / removing "FILE_EXECUTE_EXTENSIONS_ALLOWED=exe;vbs" from the webgui.cfg? the file should only contain "FILE_EXECUTE_EXECUTABLE_ALLOWED=<your exe>".

although for me, only that executable was working which i mentioned as in my previous post. may be a different jvm version i guess!!!

Former Member
‎03-10-2016 11:48 AM
0 Kudos

Hi Salman,

thanks for the quick response.

My Config looks like this:

# FILE_EXECUTE_EXTENSIONS_ALLOWED=exe

FILE_EXECUTE_EXECUTABLE_ALLOWED=C:\Windows\notepad.exe

That only works, if I uncomment the first statement. Otherwise I get an error, that execution of exe-files are permitted.

JVR is 8 Update 60 with Security Level High not Very High

SAP-Kernel 742

Patch 300

Why do you allow a specific exe file, if you already allowed the execution in general?

regards

Martin

Former Member
‎03-11-2016 9:19 AM
0 Kudos

Hi,

I've got the solution.

The problem wasn't at Java (unbelievable I know). It was a mistake at the abap site.

wrong:

CL_GUI_FRONTEND_SERVICES=>EXECUTE

     document = 'some_executable.exe'    

right:

CL_GUI_FRONTEND_SERVICES=>EXECUTE

     application = 'some_executable.exe'  

Then everything works just fine.

regards

Martin

Emre_tr
Active Participant
‎02-02-2016 1:55 PM
0 Kudos

I've got same error. I am not sure we can able to execute fronted application through webgui screens.

Normal download functionality is working in ALV list with webgui screen.

Show replies
Show replies
Ask a Question