Blog dedicated to Oracle Applications (E-Business Suite) Technology; covers Apps Architecture, Administration and third party bolt-ons to Apps

Thursday, August 23, 2007

url_fw.conf The URL Firewall configuration file

The purpose of the URL Firewall is to ensure that only URLs required for the externally exposed functionality can be accessed from the internet. The file is present in $IAS_CONFIG_HOME/Apache/Apache/conf/url_fw.conf

The URL firewall is implemented as a whitelist of URLs required. Any URL request that is not matched in the whitelist is refused. It limits the exposure of Oracle Apps by reducing the attack surface available to external parties.

Integrigy recommends that all the pages which are not being accessed from internet, should be commented in the URL firewall.

On January 25, 2006, David Litchfield of NGS released information about an unfixed security bug in Oracle’s PLSQL Gateway (also referred to as mod_plsql).

This is a critical security vulnerability in mod_plsql, which is used by Oracle Applications 11i. The vulnerability allows an attacker using only a web browser and having access to an Oracle Applications 11i application server to (1) execute any SQL statement or anonymous PL/SQL block as the APPS account or (2) retrieve and view any data accessible by the APPS account.

Integrigy( recommends the following to be done on extranet web tiers:

All access to mod_plsql can be disabled by blocking access to mod_plsql using the URL firewall. In the url_fw.conf file, comment out all references that start with /pls/. There are three groups of Rewrite rules with /pls/ -- (1) on-line help or PLS Help, (2) iReceivables, and (3) iRecruitment. On-line help will be disabled, but so will all access to mod_plsql from the Internet. After Oracle releases a patch to fix the vulnerability in mod_plsql, re-enable the on-line help.

If the iReceivables or iRecruitment modules are being used, carefully review the Rewrite rules to see if these web pages are being used in your implementation by checking the Apache log files in the production environment.

Official Oracle documentation on url_fw.conf is available in Appendix E of Metalink note 287176.1.

Oracle has also published metalink note 460564.1 which has hints and tips for troubleshooting URL firewall.


Anonymous said...

For more information on the URL firewall, see Metalink document:
Note:460564.1-Hints and Tips for Troubleshooting the URL Firewall

Amit Joshi said...

Hello Vikram,
i am able to login in to oracle apps with coorect username and password but for invalid user its giving error saying that "Request URI TOO Large". And also when i paste my url http://......../OA_HTML/AppsLocalLogin.jsp in address bar its also giving same error
Please help its very urgent
Thanks in Advance