Skip to content

SAPs afraid of no Ghost! Or is it?

SAP Summary
While using Firefox in combination with the Add-on Ghostery on Windows10 & Server 2012, it's possible to flood a SAP-System with new sessions.

While opening a expense-report form, the page does not load the PDF, but reloads constantly and creates a new login with every reload.
Valid credentials and authorizations to display the forms are necessary.
There is no direct mitigation for this behavior.

----------------------------------------------------------------------------

Browser plugins can have some interesting or even unwanted effects on websites.
They can help to protect your privacy, leak your data, stop malware, and much more.
And they can, in the right combination of Browser and Plugin, DoS SAP-Systems!

While doing my expenses, I wanted to print the expense-form from the WEBGUI (using a Webdynpro).
After pressing the show/print button SAP creates a pop-up to load the form as a PDF.

This usually worked without a problem, but apparently I did something different today.
Pressing the button opens a pop-up in a new browser tab, but instead of displaying the PDF, the page stays blank and reloads constantly.

As this was clearly not working and I had to finish my expenses, I closed the blank page and switched grudgingly to IE.
While logging-in in with IE, the system informed me that I was already logged-in...70 times!

Now this was getting interesting - I finished my expenses with IE and did some snooping around!

I was able to replicate this behavior again and again with Firefox.
For every reload of the tab in Firefox, a new user-login was generated and displayed in the transaction AL08.

After a minute, my sessions outnumbered all other session put together!

To get to the bottom of this problem, I played around with a combination of browsers and my installed Add-ons while monitoring the sessions in AL08.
I was able to replicate the behavior reliably, but only with Firefox and Ghostery.
Chrome and Ghostery worked fine.

Tested Versions:
Firefox (49.x)
Ghostery (7.x)
Windows: 10 and Server 2012R2
SAP: ERP 6.0 EHP6, NW7.0 EHP3, Kernel 722_EXT, Basis Release 731 SP18

While browsing the Service Marketplace, the SAP Community Network and other trusted sources, I could not find any further information about this issue.
Either this is something not know to many people, or my google-fu was weak when I searched for a reason.

Looking around in the SAP Community Network and SAP Service Marketplace I found no easy solution for this problem.
I checked the parameter rdisp/max_alt_modes and it was set to "6" - so this parameter has no effect on http-logins.



There seems to be no parameter that can limit the logins via http for a single user, only the total number of http logins.

I have not tested other transactions that display Pop-ups, but I suspect that they are susceptible for this behavior as well.
Kategorien: SAP

Trackbacks

Keine Trackbacks

Kommentare

Ansicht der Kommentare: Linear | Verschachtelt

Noch keine Kommentare

Die Kommentarfunktion wurde vom Besitzer dieses Blogs in diesem Eintrag deaktiviert.