This discussion is archived
2 Replies Latest reply: Jan 10, 2013 1:58 PM by 806512 RSS

Security vulnerabilities within SGD

Jeffro Newbie
Currently Being Moderated
We are running SGD version 4.62. We recently had a security vulnerability assessment performed by an outside agency against our SGD website. They reported several vulnerabilities:

Here are some of the results reported:

1. /sgd/index.jsp [IC_JOIN parameter]
/sgd/index.jsp [ko parameter]
/sgd/index.jsp [langSelected parameter]
/sgd/index.jsp [name of an arbitrarily supplied request parameter]
Vulnerability: Reflected Cross-Site Scripting Detected

2. /sgd/tcc/java/ttalwG-jps .jar
/sgd/webtops/standard /webtop/bottomFrame.jsp
/sgd/webtops/standard /webtop/printFrame.jsp
/sgd/webtops/standard /webtop/response.jsp
/sgd/webtops/standard /webtop/session-grabbed .jsp
/sgd/webtops/standard /webtop/vlineFrame.jsp
Vulnerability: Cacheable HTTPS Response

3. /sgdadmin/faces/jsp /Login.jsp
/sgd/applicationLaunch /appLaunch.jsp
/sgd/webtops/standard /webtop/webtop.jsp
/sgdadmin/faces/jsp/Login .jsp
/sgdadmin/images /productNameLogin.gif
/sgdadmin/js/globals.js
/sgdadmin/js/window.js
/sgdadmin/theme/com/sun /web/ui/oracletheme /images/other/dot.gif
Vulnerability: Session Token Appears in the URL

Will newer versions resolve these issues, or is there something we can do to work around them?

Thanks.
  • 1. Re: Security vulnerabilities within SGD
    806512 Newbie
    Currently Being Moderated
    I'm always reluctant to discuss vulnerabilities on public forums, but I think I can say there were a number of "policy" changes and fixes incorporated into 4.70 to address security concerns and vulnerabilities.

    Beyond that, if you want specific answers to specific vulnerabilities, you'll probably need to raise an SR.
  • 2. Re: Security vulnerabilities within SGD
    MrBrown Explorer
    Currently Being Moderated
    SGD 4.7 with Security Guide configs

    Security Guide - http://docs.oracle.com/cd/E26362_01/E36389/html/index.html

    if your scan fails, then open a My Oracle Support Service Request using your valid Secure Global Desktop support identifier

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points