2 Replies Latest reply on Jan 10, 2013 10:09 PM by MrBrown-Oracle

    Security vulnerabilities within SGD

      We are running SGD version 4.62. We recently had a security vulnerability assessment performed by an outside agency against our SGD website. They reported several vulnerabilities:

      Here are some of the results reported:

      1. /sgd/index.jsp [IC_JOIN parameter]
      /sgd/index.jsp [ko parameter]
      /sgd/index.jsp [langSelected parameter]
      /sgd/index.jsp [name of an arbitrarily supplied request parameter]
      Vulnerability: Reflected Cross-Site Scripting Detected

      2. /sgd/tcc/java/ttalwG-jps .jar
      /sgd/webtops/standard /webtop/bottomFrame.jsp
      /sgd/webtops/standard /webtop/printFrame.jsp
      /sgd/webtops/standard /webtop/response.jsp
      /sgd/webtops/standard /webtop/session-grabbed .jsp
      /sgd/webtops/standard /webtop/vlineFrame.jsp
      Vulnerability: Cacheable HTTPS Response

      3. /sgdadmin/faces/jsp /Login.jsp
      /sgd/applicationLaunch /appLaunch.jsp
      /sgd/webtops/standard /webtop/webtop.jsp
      /sgdadmin/faces/jsp/Login .jsp
      /sgdadmin/images /productNameLogin.gif
      /sgdadmin/theme/com/sun /web/ui/oracletheme /images/other/dot.gif
      Vulnerability: Session Token Appears in the URL

      Will newer versions resolve these issues, or is there something we can do to work around them?