The URL firewall is implemented as a whitelist of URLs required. Any URL request that is not matched in the whitelist is refused. It limits the exposure of Oracle Apps by reducing the attack surface available to external parties.
Integrigy recommends that all the pages which are not being accessed from internet, should be commented in the URL firewall.
On January 25, 2006, David Litchfield of NGS released information about an unfixed security bug in Oracle’s PLSQL Gateway (also referred to as mod_plsql).
This is a critical security vulnerability in mod_plsql, which is used by Oracle Applications 11i. The vulnerability allows an attacker using only a web browser and having access to an Oracle Applications 11i application server to (1) execute any SQL statement or anonymous PL/SQL block as the APPS account or (2) retrieve and view any data accessible by the APPS account.
Integrigy(www.integrigy.com) recommends the following to be done on extranet web tiers:
All access to mod_plsql can be disabled by blocking access to mod_plsql using the URL firewall. In the url_fw.conf file, comment out all references that start with /pls/. There are three groups of Rewrite rules with /pls/ -- (1) on-line help or PLS Help, (2) iReceivables, and (3) iRecruitment. On-line help will be disabled, but so will all access to mod_plsql from the Internet. After Oracle releases a patch to fix the vulnerability in mod_plsql, re-enable the on-line help.
If the iReceivables or iRecruitment modules are being used, carefully review the Rewrite rules to see if these web pages are being used in your implementation by checking the Apache log files in the production environment.
Official Oracle documentation on url_fw.conf is available in Appendix E of Metalink note 287176.1.
Oracle has also published metalink note 460564.1 which has hints and tips for troubleshooting URL firewall.