Following up my first article on securing the APPLSYSPUB account, is this new article which tells you yet another place the password is hidden in your system and Oracle will ask you for it. When the report Diagnostics: Apps Check (OMCHECK.sql) is run with the parameter of Application Object Library it will find all of the associated Profile Option Values for the Application Object Library module, which doesn't seem like a bad thing unless you realize that it will list the value for the profile option "Gateway User ID".
Not only does this profile option value have the username/password combination for APPLSYSPUB hard coded, but the Diagnostics: Apps Check report has no further security validation built into it so once it is available to a responsibility it is available to run for ANY module. Ever have to add this to a responsibility to give Oracle some data? Did you make sure to remove it? Do you know who is running this in your system?
No comments:
Post a Comment