Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Display of sensitive data in Community

hendrikweise
Advisor
Advisor
2,016

Hello,


following a moderator suggestion, I'm posting this question here.
When uploading a file from my PC to the community let's say in
a question I ask, parts of the storage location and my I-number are
shown to everybody as they are being part of the attachments name.
An example would be 'cusersi123456desktopcomm02.jpg'.


This should be corrected.

Hendrik

1 ACCEPTED SOLUTION

sebastian_wolf
Product and Topic Expert
Product and Topic Expert
993

Hi everybody,

first I'm sorry that we haven't replied earlier.

This one here is an important issue - exposing sensitive information is a real no-go. Unfortunately, the way how the file name on the server is generated is a core functionality by AnswerHub (the platform SAP Answers is using). We already opened a bug ticket to the vendor to get this resolved. However, you can influence this behavior yourself by changing a setting in the Internet Explorer.

Open Tools -> Internet Options -> Security -> Custom level... and in the upcoming dialog search for Miscellaneous -> "Include local directory path when uploading files to a server". If you have this issue, it looks like that on your machine:

Set this value to disabled and you're done!

Most certainly this issue only occurs on SAP-operated machines as we have *.sap.com in the list of Trusted Sites in IE (Colleagues, just have a look there which sites are also trusted, it might be interesting). Of course, if you have *.sap.com in the list of trusted sites or you explicitly switched on this "feature" and you are not an SAP employee, this issue affects you as well.

As mentioned, we are trying to get this issue solved in the core functionality by let the system only use the file name. Until then thank you for your understanding!

Best regards,

Sebastian
for the SAP Community Team

16 REPLIES 16

Former Member
0 Kudos
993

I might expect the original filename to be visible, although that could easily be masked also I guess, but to make the whole file path, including in this case a user name, is definitely not a good idea.

Steve.

mrapp
Participant
0 Kudos
993

Is there a way to change this generated filename manually?

JL23
Active Contributor
0 Kudos
993

I have not yet seen this described case and I uploaded many pictures already and I see many embedded pictures and attachments during the day.

I just attached this and it has only the name, no directly, nothing from my user ID:

csrfattack.png

And yes, the displayed can be changed, click the link of the attachment and select Edit:

jerryjanda
Community Manager
Community Manager
0 Kudos
993

Hi, Hendrik:

I wonder if it has something to do with being an SAP employee -- although I've not heard of any other colleagues reporting this (or even experiencing it myself, for that matter).

Let me check with some people and get back to you...

Best regards,

--Jerry

Make sure to subscribe to What's New!

jcgood25
Active Contributor
992

This embedded picture here in my answer is coming from my C:\ drive, and in draft mode using IE 11, I see the current uploaded picture (I used my avatar image and gave myself a minor haircut by trimming the picture) below where I am typing. The file name is cjgoodpicturesjeremyjeremygood.jpg which is the full file path (minus the directory slashes).

jcgood25
Active Contributor
0 Kudos
992

Same thing seems to happen as a comment, but this time I trimmed my goatee, but uploaded the exact same picture.

992

I uploaded this in IE11, Windows 7, 32-bit, not part of a domain. I used a picture from a folder in my C drive.

I don't seem to encounter such issues.

No problems in Firefox ESR and Pale Moon either, I would have noticed that.

jcgood25
Active Contributor
0 Kudos
992

Windows 10 Enterprise 1511 here on my laptop, and it is reproducible. When DEV gets around to troubleshooting or digging deeper into this, I am happy to support their efforts to fix this.

jcgood25
Active Contributor
0 Kudos
992

Apparently Chrome only uses the file name, so I guess you can say that I 'see' the problem. Same image, trimmed to the all seeing eye - so perhaps this is unique to IE ?

jcgood25
Active Contributor
0 Kudos
992

Final test - comments and answers act the same in Chrome (only the file name is revealed after the upload), so if the DEV team can hear me, it would app'ear' that IE is causing this issue and not Chrome.

jcgood25
Active Contributor
0 Kudos
992

I provided some test cases below using IE 11 and Chrome. Problem appears to be constrained to IE - not sure about Firefox or other possible browsers.

mrapp
Participant
992

Hi Jerry.

From my point of view it has nothing to do with being an SAP employee. I ran into the issue some days ago (w/ IE11 as Jeremy described below).

Kr

Martin

hendrikweise
Advisor
Advisor
0 Kudos
992

Thanks to everybody investigating this!
Indeed I only use the standard IE coming with the installation image.
So far, I did not see this in other posts I was active in and where pictures

were uploaded. Might also be related to the location where my pictures

were stored, I did not try with something else as source such as C:\tmp.

jerryjanda
Community Manager
Community Manager
0 Kudos
992

Thanks for notifying me, Martin. I have opened a bug ticket in the hopes of resolving.

Make sure to subscribe to What's New!

jerryjanda
Community Manager
Community Manager
992

Thanks for that, Jeremy...although I was tempted to downvote simply because of what you chose to photograph. 🙂

Joking aside, I updated a bug report to indicate that a) it affects more than SAP employees and b) may be limited to IE (possibly also Firefox).

Make sure to subscribe to What's New!

sebastian_wolf
Product and Topic Expert
Product and Topic Expert
994

Hi everybody,

first I'm sorry that we haven't replied earlier.

This one here is an important issue - exposing sensitive information is a real no-go. Unfortunately, the way how the file name on the server is generated is a core functionality by AnswerHub (the platform SAP Answers is using). We already opened a bug ticket to the vendor to get this resolved. However, you can influence this behavior yourself by changing a setting in the Internet Explorer.

Open Tools -> Internet Options -> Security -> Custom level... and in the upcoming dialog search for Miscellaneous -> "Include local directory path when uploading files to a server". If you have this issue, it looks like that on your machine:

Set this value to disabled and you're done!

Most certainly this issue only occurs on SAP-operated machines as we have *.sap.com in the list of Trusted Sites in IE (Colleagues, just have a look there which sites are also trusted, it might be interesting). Of course, if you have *.sap.com in the list of trusted sites or you explicitly switched on this "feature" and you are not an SAP employee, this issue affects you as well.

As mentioned, we are trying to get this issue solved in the core functionality by let the system only use the file name. Until then thank you for your understanding!

Best regards,

Sebastian
for the SAP Community Team