You read the title right. Oracle has documented in My Oracle Support note 364503.1 how you can set a profile value without being authenticated to the EBS application at all. Sure, it is supposed to be used in an emergency manner and only for those that want to go and do some good or fix their systems. What if it is used by individuals that don't exactly have good things in mind? Would it be possible for somebody to get an authenticated database session, maybe using other things I talk about during Security Week, to your system and then really start to take over your EBS application? Maybe they don't even try to take over your EBS system, but just start to collect usernames and passwords by changing something like where your authentication system directs to which can then be leveraged for more sensitive systems that you might have.
Of course if they get a authenticated database session with enough privileges it might make this a moot point, but if you visit that note you might find out a new way of setting your profile values at least!
No comments:
Post a Comment