Information disclosure

Information disclosure is a potential security risk. Most IT software has a way to show the exact software version. This detailed information can be useful for an end user submitting an incident. Or for an administrator to know if certain patching is needed for an IT system.

But the detailed version information can also be used by a hacker to know if the system is vulnerable for some known attacks (and the system is not yet patches with the fix).

Hence for IT systems one should be careful and conscious about showing detailed version information: this is called information disclosure.

Known information disclosure items

ABAP System / Status

In ABAP stack, you can reduce the information in System/Status via authorizations. See OSS note 2658772 – System -> Status: Restriction of the available information.

Web administration interface

The web administration interface is a very known one. How to solve, read this blog.

Information disclosure security notes

Every month SAP release security notes (see blog). For the SAP systems that are internet facing (like portals, Netweaver Gateways, PI systems), check and apply the information disclosure notes as soon as possible. For the other systems, apply them at your normal security cycle speed.

Table AQLDB clean up

Table AQLDB is used for storing data of SAP Queries created via SQ01 queries. Cleaning this up can be tricky job.

Deletion of old query data

Deletion of old SAP query data is performed via program RSAQQLRE_MASS:

Background OSS note: 2336268 – SQ01: Reorganization of saved lists.

In case of inconsistencies, install program Z_INCONSISTENT_SAVED_LISTS from OSS note 2173291 – Saved List cannot be deleted by program RSAQQLRE.

Clean up of generated programs

Program RSAQDEL0 can be used to clean up generated query program data:

System queries, generated programs and obsolete programs can be cleaned up.

Background notes:

Data archiving: material ledger data

This blog will explain how to archive material ledger data via object CO_ML_DAT. Generic technical setup must have been executed already, and is explained in this blog.

Object CO_ML_DAT

Go to transaction SARA and select object CO_ML_DAT.

Dependency schedule:

Main tables that are archived:

  • CKMLCR (material ledger data)
  • CKMLPP (period totals)

Technical programs and OSS notes

Write program: SAPRCKMN_NEU

Delete program: SAPRCKMO_NEU

Read from archive: SAPRCKMP_NEU_LESEN


Relevant OSS notes:

Application specific customizing

Archiving object CO_ML_DAT has no specific customizing. Retention period is set on the write program screen.

Executing the write run and delete run

In transaction SARA, CO_ML_DAT select the write run:

Select your data, save the variant and start the archiving write run.

After the write run is done, check the logs. CO_ML_DAT archiving has high speed, and high percentage of archiving (up to 100%).

Proved a good name for the archive file for later use!

Deletion run is standard by selecting the archive file and starting the deletion run.

Data retrieval

Data retrieval is via program SAPRCKMP_NEU_LESEN. But the retrieval has no proper selection. Output is also hard to read.

Report SNIF: search active customer enhancements

Report SNIF can be used to find active customer enhancements like BADI, user exit, BTE event.

To start the report go to transaction SA38, enter report SNIF and execute:

Select the items you want to search for that are implemented and press execute. Wait until the result shows:

Here you can see which exits are active. Double click on a line will jump to the code.

Background OSS notes

Update process debugging

As ABAP developer you sometime need to update a piece of ABAP code that is part of the Update logic. To get debugging done there some more actions are required.

ABAP debugging should only be done by experienced ABAP developers who know the pros and cons of debugging in Update. If you are not experience enough, stop reading and let an experienced person do the job.

Update process debugging

First set your break point in the Z code or standard code that does the update. If you run the normal transaction, you will notice this break point will not be called.

Now start your normal transaction again. Go to debug mode.

Choose menu Settings and Change debugger profile / Settings:

Select Update Debugging and press Save.

In the main transaction go to the point where you are about to save the data. Before pressing the save button, key in /h for debug. Now press the save button. you jump to debug mode. Press F8 to continue the current session. Wait a few seconds, and the update debug will start now:

The update debug starts now. Now you can debug the ABAP logic used in the UPDATE task. Please notice in the debug screen you see you are doing the UPDATE process debug on top of the screen.

If you have set breakpoints before in the correct code then these are now active.