Oracle Reports Server APPS Password Disclosure

The Oracle Reports Server may disclose the current APPS password. Oracle Reports Server is installed as part of the default installation and is used by Oracle Business Intelligence (BIS) and related business intelligence modules (Financial Intelligence, etc.).

Integrigy Security Alert

______________________________________________________________________

 

Oracle Reports Server APPS Password Disclosure

November 12, 2002

______________________________________________________________________

 

Summary:

 

The Oracle Reports Server may disclose the current APPS password.  Oracle Reports Server is installed as part of the default installation and is used by Oracle Business Intelligence (BIS) and related business intelligence modules (Financial Intelligence, etc.).

 

Product:    Oracle E-Business Suite

Versions:   11.5.x - All versions

Platforms:  All platforms

Risk Level: High

______________________________________________________________________

 

Description:

 

The Oracle Reports Server has an administration feature that provides debugging information and control of report jobs. One of the administration commands will display the contents of the CGIcmd.dat file located in the 8.0.6 Oracle Home. This file contains the APPS password, which is used by the Reports Server to connect to the 11i database.

 

The Oracle Reports Server is installed through the standard installation procedures. The default APPS password will be stored in the CGIcmd.dat file. Only the Oracle Business Intelligence System uses the Reports Server – it is not used by the Concurrent Manager.

 

This problem affects all BIS modules – Financials Intelligence, Operations, Intelligence, Purchasing Intelligence, Human Resources Intelligence, Supply Chain Intelligence, Marketing Intelligence, Customer Intelligence, Process Mfg Intelligence, Sales Intelligence, Call Center Intelligence, and Oracle Engineering Intelligence System.

 

Even if BIS is not being used, the password in the CGIcmd.dat file may be current.

 

Solution:

 

Add the following line to the end of the apps.conf file in the Apache conf directory, which is usually found in the <sid>ora/iAS/Apache/Apache/conf directory –

 

      SetEnv REPORTS60_CGINODIAG=Yes

 

Stop and start the Apache server using the adapcctl.sh script.

 

When accessing the administration functions, you will now receive the following message –

 

      “Oracle Reports Server CGI Error: The requested URL was not found,       or cannot be served at this time.”

  

      “Incorrect usage.”

 

Additional Information:

 

Metalink Note ID 119825.1

Metalink Note ID 133957.1

______________________________________________________________________

 

About Integrigy Corporation (www.integrigy.com)

 

Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. Integrigy Consulting offers security assessment services for leading ERP and CRM applications.

 

For more information, visit www.integrigy.com.

 

Share this post