Support  |  Site Map  |  How to Buy  |  Contact Us

Risk of Information Leakage from the Oracle E-Business Suite - Validation Levels

January 31, 2014

Through parameter and URL tampering an attacker, or nefarious insider, can manipulate and/or construct URLs to expose information and/or attempt to circumnavigate Oracle E-Business Suite functionality - including parts of application security. There are several profile options that provide defense in depth against cross-site scripting (XSS), HTML injection attacks, and parameter and URL tampering. Setting these profile options to the recommended values below will contribute to reducing your information leakage risks.

If you have questions, please contact us.

Profile Option

Default Value

Recommended Value

FND: Validation Level

Error as of R12

Error

(R12.2 does not allow to be changed)

FND: Function Validation Level

Error as of 11.5.10 CU 10

Error

(R12.2 does not allow to be changed)

Framework Validation Level

Error as of 11.5.10 CU 10

Error

(R12.2 does not allow to be changed)

Restricted Text Input

Yes

Yes

FND: Fixed Key Enabled

Null

Yes

FND: Fixed Key

None

Yes, only at User level

References

  • Secure Configuration of Oracle E-Business Suite Profiles (MOS Doc ID 946372.1)
  • Oracle Application Framework Profile Options (MOS Doc ID 1107970.1)