Blog dedicated to Oracle Applications (E-Business Suite) Technology; covers Apps Architecture, Administration and third party bolt-ons to Apps

Wednesday, August 6, 2008

Disable Anonymous access to Diagnostics

Recently we had a security scan from security team. Here's one high vulnerability item they highlighted:

Users from "guest" role can see sensitive information by calling "jtfqalgn.htm"
test page.
URIs:
· http://erp11i.justanexample.com:8000/OA_HTML/jtfqalgn.htm
Steps to Reproduce Exploit:
1. Type in the address bar the following URL:
http://erp11i.justanexample.com:8000/OA_HTML/jtfqalgn.htm and press
Enter key
2. You will see the page "Oracle Diagnostic" and you get access like "guest".
3. You can access application's test, do click on combo box and select the
application or click on registered test number.
4. Click on the "Run All Groups" button
5. You will see the report with test that you can run.
6. Click on the report image.
7. You will see test details.

Recommendations
1. Remove this test page from the production server.

Removing the page from the server is not a good solution, as further diagnostic patches will bring back the page. We have an SR logged with Oracle for this. However based on the documentation in metalink note 230331.1:

Diagnostic Roles
Diagnostic Roles determine the activities or tasks that a user can perform on
Diagnostics. Some activities of importance are:

>> Running test cases (with different input values
incase of advanced tests)
>> Viewing detailed test reports after tests have been run
>> Configuring input values for test cases
>> Adding, deleting test cases and test groups across
applications registered with Diagnostics
>> Viewing historical reports for test runs using the LogViewer

We decided that it was appropriate to permit these and other diagnostic
activities according to different roles (explained below).

Diagnostics Super User Role:
Has unrestricted privileges to execute, configure, view reports and
setup security for all groups and all applications. Out of the box,
we have granted this role to CRM Foundation application responsibility
"CRM HTML Administration" which in turn has been assigned to user: "sysadmin"

Application Super User:
Has unrestricted privileges (execute, configure, view reports and setup security for
test groups) for the application associated with his responsibility.
However, this role also permits the user to execute and configure inputs
for test groups of low and medium sensitivities across other applications.

End User:
Can execute and configure inputs for test groups of "low
sensitivity" only. This user cannot view detailed test reports.

Anonymous User:
If none of the user's responsibilities have an association with any of the above
3 roles, then the user is considered to be an Anonymous user. The Diagnostics engine
will restrict access to HTML Platform only. All other test groups across applications are restricted from this user.

Roles can be granted to users through responsibilities.
In case a responsibility has been granted a particular ROLE and that responsibility
is accessible to a user, the user automatically gets a grant on that ROLE.

So Anonymous User access is allowed by design. I have no idea how they can circumvent this without changing their existing code.

No comments: