Tuesday

A Great Oracle Business Intelligence Blog

For the new project I am on we are using Oracle's Business Intelligence Suite. I have to give props to Venkat's Oracle BI Blog, it has helped me out quite a bit over the past few weeks. Based on his last article, I think its safe to say i'm not alone.

I've placed it in my blog list in the right hand column as well.

Saturday

Blogs I follow..

I've added a column to the right of some of the blogs I follow. I know there are more but most of them I read through OraNA. On busy days I have missed articles via OraNA so I started to add them to Google Reader. It was easy to import them to my blog, so I did in case others may be interested.

Thursday

Alloy/Deny Directives Ignored

Just a quick note to you let you know about a potential security vulnerability when you are using Oracles Webcache and HTTP server on the same server. Note 263943.1,
contains all of the details but in a nutshell instead of the client ip address being passed to the http server, webcache passes its ip address. Thus certain Allow/Deny rules that you may have setup in your httpd.conf file may not work as expected.

For example from the application server httpd.conf file:


<location>
SetHandler server-status
Order deny,allow
Deny from all
Allow from localhost myserver.mydomain myserver
</location>



The server status page contains some useful information to aid in troubleshooting performance problems with the application server (see note 280165.1). It contains information that you would not want potential crackers to see such as the servers version and requests currently in progress.

As you can see from the Deny, Allow entries above we only want requests from the localhost or myserver (myserver==localhost) to gain access. However, since webcache is on the same server it is passing the server IP addresses instead of the client. Thus the HTTP server believes every request is from a local client and grants access. Obviously, this is not the intended effect.

This is just one example and if you are relying on Allow/Deny rules to restrict access to certain parts of your applications, then you may be exposing more than you think.

The solution is to change the parameter UseWebCacheIp to ON in the Oracle HTTP Sever httpd.conf file and restart it. Please see note 263943.1 for versions affected and patchlevels required before making this change.

I am not sure why this parameter isn't enabled by default and I can't think of a reason as to why not. However, I am new to supporting a standalone application server and there must be a reason otherwise Oracle would have it enabled. Do you know of one? If so, please leave a comment.