13 Replies Latest reply: Jan 12, 2013 5:07 PM by VANJ RSS

    APEX 4.2.1 - Dynamic Action error with SSP

    VANJ
      APEX 4.2.1, Oracle 11gR1

      Session State Protection enabled application, all items need session-level checksum, application upgraded from 3.x to 4.0 to 4.2 to 4.2.1

      A DA action Execute PL/SQL code that simply has NULL; and Page Items to Set as P13_REC_ID (hidden page item with Protected=No and SSP=Checksum needed - session level) raises an hopelessly obtuse error popup box http://screencast.com/t/ndYWBsJmxJ

      Attempted to reproduce the issue on apex.oracle.com. Exact same page, same code, this time the error message is http://screencast.com/t/i0qOg9g0gb7 This makes much more sense. Changing the page item's SSP setting to Unrestricted fixes the problem

      The inevitable questions

      1. What security setting changed between 4.2.1 and earlier versions that causes this security error? Is this documented in the release notes?
      2. More importantly, with the same software (APEX 4.2.1), why does apex.oracle.com raise a different, clearer error message than my instance?!

      Thanks
        • 1. Re: APEX 4.2.1 - Dynamic Action error with SSP
          VANJ
          Bump. Thanks.
          • 2. Re: APEX 4.2.1 - Dynamic Action error with SSP
            VANJ
            Bump. Thanks.
            • 3. Re: APEX 4.2.1 - Dynamic Action error with SSP
              Arie Geller
              Hello Vikas,

              Can we gain access to the page on apex.oracle.com?

              Regards,
              Arie.


              -------------------------------------------------------
              ♦ Please remember to mark appropriate posts as correct/helpful. For the long run, it will benefit us all.

              ♦ Author of Oracle Application Express 3.2 – The Essentials and More
              • 4. Re: APEX 4.2.1 - Dynamic Action error with SSP
                VANJ
                Hi Arie - Thanks for jumping in. The page is at is https://apex.oracle.com/pls/apex/f?p=57688:13 and my workspace credentials are vikasa/guest/otnforum

                Run the page and click on either of the radiobuttons to see the error

                One more observation: The error popup says Note: End users get a different error message. but even when I logout of the Builder and run the page (as a end user), I get the same popup with the same message.
                • 5. Re: APEX 4.2.1 - Dynamic Action error with SSP
                  Arie Geller
                  Hi Vikas,

                  The problem seems to be with the DA action of Execute PL/SQL code, when you are setting Page Items to Submit with P13_REC_ID. This item is defined as Checksum Required – Session Level, but the error message claims that the APEX engine is submitting it without the required checksum value.

                  I don't think we are talking about a change in behavior (and your Compatibility Mode is set to Pre 4.1 ). To me, it looks more like a bug, but to confirm that we'll need the development team.

                  Regards,
                  Arie.


                  -------------------------------------------------------
                  ♦ Please remember to mark appropriate posts as correct/helpful. For the long run, it will benefit us all.

                  ♦ Author of Oracle Application Express 3.2 – The Essentials and More
                  • 6. Re: APEX 4.2.1 - Dynamic Action error with SSP
                    Christian Neumueller-Oracle
                    Hi Vikas and Arie,

                    if the item needs a checksum, it can not be used in Ajax calls. The reason is that there is no way to generate a correct checksum on the client. In 4.2, we added an advisor check "Protected items in AJAX calls" that shows DAs, reports and items that are configured to pass protected items.

                    Regards,
                    Christian
                    • 7. Re: APEX 4.2.1 - Dynamic Action error with SSP
                      Arie Geller
                      Hi Christian,

                      >> if the item needs a checksum, it can not be used in Ajax calls

                      It makes sense, and I thought about it, although from Vikas' post, and as he mentioned the application upgrade path (especially 4.0 to 4.2.x) I was under the impression that the DA actually worked before. Vikas will be able to clear this point.

                      In one of my applications, I'm using AJAX to generate a URL with checksum, using apex_util.prepare_url, but the parameter passed to the on-demand process is indeed unprotected.

                      Thanks and regards,
                      Arie.

                      -------------------------------------------------------
                      ♦ Please remember to mark appropriate posts as correct/helpful. For the long run, it will benefit us all.

                      ♦ Author of Oracle Application Express 3.2 – The Essentials and More
                      • 8. Re: APEX 4.2.1 - Dynamic Action error with SSP
                        VANJ
                        Christian - Thanks for jumping in. As I said, this was working fine in Version 4.0.2. The problem started after the upgrade to 4.2. Hence the questions in my original post. Can you answer my 2 questions?

                        I do appreciate all the security related enhancements being made in every release but maintaining backward compatibility is very important; that gives a sense of continuity, stability and reliability. I am glad that Oracle has introduced the Compatibility Mode parameter which shows that you value backward compabitility. That's why I was surprised when an application upgraded from 3.x to 4.0 to 4.2 with Compatibility mode set to Pre-4.1 was adversely affected by these changes.

                        Let me know what you find, thanks.

                        Thanks
                        • 9. Re: APEX 4.2.1 - Dynamic Action error with SSP
                          Christian Neumueller-Oracle
                          Hi Vikas,

                          we really try not to break anything between versions, as we know how important this is for our customers. Security fixes must take precedence, however. We can not use the compatibility mode for them, either, as apps would stay vulnerable by default. In this example, i.e. when otherwise protected items can be manipulated via AJAX, item protection can be circumvented in general. It's one of the reasons why we added this Advisor check that I already mentioned. I could not identify the exact svn commit and bug # which introduced this change, it's just too much work to look through all diffs.

                          Regarding the different error messages, I found out that this seems to depend on your web server. On apex.oracle.com (WLS + Apex Listener), the ACCEPT and HTTP_ACCEPT headers are set. On mod_plsql, only HTTP_ACCEPT is visible. The error handler checks ACCEPT for %json% and returns a json response in this case. Patrick just filed bug #16097364 for this issue.

                          Regards,
                          Christian
                          • 10. Re: APEX 4.2.1 - Dynamic Action error with SSP
                            Arie Geller
                            Hello,

                            Now, the question remains how to fix this issue under the new security rules (and maintain item protection).

                            Vikas – is the PL/SQL code of NULL; is for simplicity sake (on the example page)? What are you trying to achieve with this segment of the DA?

                            Christian – there have been many behavior changes following the tighten security in 4.2, and I have to admit that all those I've encountered are well deserved. However, because some of these changes are bound to break upgraded applications, I would expect more detailed documentation on it, allowing the developers to make more informed decisions regarding the upgrade process. As you can imagine, it's hard to face such issues after the fact.

                            Regards,
                            Arie.

                            -------------------------------------------------------
                            ♦ Please remember to mark appropriate posts as correct/helpful. For the long run, it will benefit us all.

                            ♦ Author of Oracle Application Express 3.2 – The Essentials and More
                            • 11. Re: APEX 4.2.1 - Dynamic Action error with SSP
                              Christian Neumueller-Oracle
                              Hi Arie,

                              good question, but I think it has to be answered on a case by case basis. Some workarounds seem simple at first sight, e.g. in Vikas' test case. The value could be passed via an unprotected item to the PL/SQL DA, which could in turn copy the value to the original item. Be aware, however, that malicious users could then use the DA's ajax call to set any value for the protected item. Either the DA has to contain some logic to verify the value before setting it, or protection for this item can as well be removed.

                              I hear you on the documentation. It's difficult, however, especially regarding security bugs. Any documentation from us (even this discussion here) could point attackers to vulnerabilities in existing apps. That's why security fixes are normally not mentioned when we ship a new version.

                              Regards,
                              Christian
                              • 12. Re: APEX 4.2.1 - Dynamic Action error with SSP
                                VANJ
                                Arie - Nope, that's all the PL/SQL code has. The point is to set the value of a hidden page item in session state and refresh a report region whose query uses that page item. Prior to 4.2, we needed to do a 3-step DA. Step 1 - Use $v() to set the value on the client Step 2 - Use a no-op PL/SQL TRUE action just to use the Page Items to Submit attribute and finally Step 3 can refresh the report. In 4.2, report regions have a Page items to submit attribute so the DA can simply use the native Refresh action and it will pick up the latest value of the page item, so much easier!

                                I agree with your comment about behaviour changes during upgrades. Providing Advisor checks is a necessary but not sufficient step. Ideally the Changed Behaviour section of the release notes should document this in excruciating detail and the compatibility mode setting should strictly honor the "pre-upgrade" setting even if that means "lax security by default". Let us decide if/how/when to tighten security instead of scrambling to fix (potentially) dozens of apps because the upgrade "broke" them. IMHO of course.
                                • 13. Re: APEX 4.2.1 - Dynamic Action error with SSP
                                  VANJ
                                  Christian - Thinking some more about this, the implications are pretty far reaching. In general, a large majority of report regions reference a page item using bind variable notation in the query.

                                  http://apex.oracle.com/pls/apex/f?p=57688:2 has a trivial report region with a query like
                                  select :P2_FOO c1 from dual
                                  and P2_FOO in the Page Items to Submit region attribute. The DA simply uses the Refresh action when P2_FOO changes. P2_FOO has SSP set (checksum required). The page loads fine (because the DA is set to not fire on page load). But when P2_FOO is changed, the report region dissapears! Using Firebug to dig deeper shows a error Attempt to save item P2_FOO in session state during show processing, item has Internal Only protection.

                                  So what you are saying is that report regions, PPR or just about anything except a traditional full page refresh baked in the server/oven cannot be used with SSP or protected page items?! This rules out non-trivial dynamic actions almost entirely, only 100% client side stuff like show/hide can be used.

                                  Maybe I am missing something but doesn't this seem overly restrictive? I understand the intention here; malicious users can use tools like Firebug to easily modify hidden page items used in report queries or other page components and wait for some DA to fire and get unauthorized access to data or something along those lines. But surely there is a way for APEX to prevent such unauthorized access and still allow use of modern, essential UI patterns that use AJAX? Something doesn't add up.

                                  Please feel free to take this discussion offline using the email address on my OTN profile otn2 dot vikasa at spamgourmet dot com if you are (rightly so) concerned about publicly discussing security considerations.

                                  Thanks