We are running SGD version 4.62. We recently had a security vulnerability assessment performed by an outside agency against our SGD website. They reported several vulnerabilities:
Here are some of the results reported:
1. /sgd/index.jsp [IC_JOIN parameter]
/sgd/index.jsp [ko parameter]
/sgd/index.jsp [langSelected parameter]
/sgd/index.jsp [name of an arbitrarily supplied request parameter]
Vulnerability: Reflected Cross-Site Scripting Detected
2. /sgd/tcc/java/ttalwG-jps .jar
/sgd/webtops/standard /webtop/session-grabbed .jsp
Vulnerability: Cacheable HTTPS Response
3. /sgdadmin/faces/jsp /Login.jsp
/sgdadmin/theme/com/sun /web/ui/oracletheme /images/other/dot.gif
Vulnerability: Session Token Appears in the URL
Will newer versions resolve these issues, or is there something we can do to work around them?
I'm always reluctant to discuss vulnerabilities on public forums, but I think I can say there were a number of "policy" changes and fixes incorporated into 4.70 to address security concerns and vulnerabilities.
Beyond that, if you want specific answers to specific vulnerabilities, you'll probably need to raise an SR.
SGD 4.7 with Security Guide configs
Security Guide - http://docs.oracle.com/cd/E26362_01/E36389/html/index.html
if your scan fails, then open a My Oracle Support Service Request using your valid Secure Global Desktop support identifier