Problem Note 34727: Users of SASĀ® Credit Risk Studio might be able to access server files without being granted permissions
 |  |  |  |  |
Users of SAS Credit Risk Studio might be able to access server files without explicitly being granted permissions to do so.
For example, criskuser1 and criskuser2 are SAS Credit Risk Studio users that have not been granted permission to view one another's files on the SAS® Credit Risk Management for Banking Server. User criskuser1 should not be able to access criskuser2 server files. However, by exploiting the SAS Credit Risk Studio file servlet, criskuser1 might be able to access the criskuser2 server files that are associated with a given URL.
Select the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Credit Risk Management for Banking | Microsoft Windows Server 2003 Standard Edition | 4.5 | 4.6 | 9.1 TS1M3 SP4 | 9.2 TS2M2 |
| Microsoft Windows XP Professional | 4.5 | 4.6 | 9.1 TS1M3 SP4 | 9.2 TS2M2 | ||
| Windows Vista | 4.5 | 4.6 | 9.1 TS1M3 SP4 | 9.2 TS2M2 | ||
| Windows Vista for x64 | 4.5 | 4.6 | 9.1 TS1M3 SP4 | 9.2 TS2M2 | ||
| Microsoft Windows Server 2003 Enterprise Edition | 4.5 | 4.6 | 9.1 TS1M3 SP4 | 9.2 TS2M2 | ||
| Microsoft Windows Server 2003 Datacenter Edition | 4.5 | 4.6 | 9.1 TS1M3 SP4 | 9.2 TS2M2 | ||
| Microsoft Windows NT Workstation | 4.5 | 9.1 TS1M3 SP4 | ||||
| Microsoft Windows 2000 Professional | 4.5 | 9.1 TS1M3 SP4 | ||||
| Microsoft Windows 2000 Server | 4.5 | 9.1 TS1M3 SP4 | ||||
| Microsoft Windows 2000 Datacenter Server | 4.5 | 9.1 TS1M3 SP4 | ||||
| Microsoft Windows 2000 Advanced Server | 4.5 | 9.1 TS1M3 SP4 | ||||
| 64-bit Enabled AIX | 4.5 | 4.6 | 9.1 TS1M3 SP4 | 9.2 TS2M2 | ||
| 64-bit Enabled HP-UX | 4.5 | 4.6 | 9.1 TS1M3 SP4 | 9.2 TS2M2 | ||
| 64-bit Enabled Solaris | 4.5 | 4.6 | 9.1 TS1M3 SP4 | 9.2 TS2M2 | ||
| HP-UX IPF | 4.5 | 4.6 | 9.1 TS1M3 SP4 | 9.2 TS2M2 | ||
| Linux | 4.5 | 4.6 | 9.1 TS1M3 SP4 | 9.2 TS2M2 | ||
A fix for this issue for Sas Credit Risk Management 4.5 is available at:
http://www.sas.com/techsup/download/hotfix/crsk.html#034727| Type: | Problem Note |
| Priority: | alert |
| Date Modified: | 2009-04-07 10:08:10 |
| Date Created: | 2009-02-06 13:43:56 |