Disabling ORACLE Reports to plug SQL Injection Attacks , Don’t do this if you still need Oracle Reports to WORK!

Posted on September 15, 2011 by
Posting this because I had a hard time disabling all of the reports functionality in Fusion Middleware Server…this will also work for older versions of Oracle Application Server.
Just wanted to alert people to the fact that you may have a major security hole with Oracle Reports Server.
We don’t use it at our site and it is my understanding that it is subject to SQL injection attacks.
First off I would check that Oracle Reports is not available outside your firewall or VPN access.
Once I was made aware of the possible security issue, the next step was figuring out how to disable it.
What I found was this MOS article on disabling the help menu.
How to Disable the Oracle Reports Servlet HELP Command URL? [ID 465454.1]
So…I did it quick and dirty by modifying the httpd.conf adding the code below for all of my application servers (FMW, OAS 10g, etc) and restarting all of the services. It doesn’t seem to take effect if you only restart OHS. Only thing I did different than what the article said was take out the word help so it disables (by not allowing access) to EVERYTHING reports/rwservlet.
<Location /reports/rwservlet/*>
Order deny,allow
Deny from all
</Location>
NOTE: THIS WILL DISABLE ORACLE REPORTS COMPLETELY. Don’t do this if you still want Oracle Reports functionality. Contact your Oracle support team for their best practice on how to make it secure.
See:  Oracle Doc ID 856135.1 How to Deregister Standalone Reports Server 11g From OPMN And Oracle

About these ads

About April C Sims

Oracle DBA for over a decade...enough said.
This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Disabling ORACLE Reports to plug SQL Injection Attacks , Don’t do this if you still need Oracle Reports to WORK!

  1. Rupert Pupkin says:
    February 20, 2012 at 4:17 pm

    Hi April,

    In case you are not aware of this, you can set access premission for the rwservlet web commands in the rwservlet.properties file.

    In Reports 11g, you can add the following property to disallow access to the web commands:
    L0
    Note: The HELP command is still available with this change in place.

    “The element specifies access permission for rwservlet keywords (Web commands) for a non-secure server. Note: For secure Reports Server, Reports Server verifies the user’s privileges based on the entries in Oracle Internet Directory.”

    Reference:
    http://docs.oracle.com/cd/E12839_01/bi.1111/b32121/pbr_conf003.htm#CHDHEBDG

    Reply
    • April C Sims says:
      February 20, 2012 at 4:49 pm

      Yes, I am aware of the 11g features…this post is for pre-11g or those who need a quick security fix put into place. Thanks.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s