This started out perfectly innocently as I needed to go into a test environment and reset a user account password so that they could get into the application and test something out. Imagine my surprise when I encountered this scenario!
USERA logs into the application, in a second window USERB logs into the application but is prompted for a password change; going back to the first window and logging out USERA provides you with a returning User ID of GUEST for some strange reason and not USERA. This means to me that before USERB gets authenticated, the Oracle EBS utilizes the GUEST user account and gets an authenticated session with that user ID.
This pretty much blew my mind, and lead me to do some more investigation of security issues related to user security for EBS so this week I give you "Security Week" after finding quite a few interesting nuggets from My Oracle Support.
Even better to prove my original hypothesis, going back to the window for USERB and trying to complete the password change attempt results in this message being displayed:
Error : You do not have a current session, please log in before visiting this URL.
No comments:
Post a Comment