I was wondering if anyone could help me out here. I am faced with a security issue where I need to hide any and all APEX framework error messages. Specifically, I need to hide the error messages on the screen you get when trying to access an application that doesnt exists (the whitescreen with the red "x"). This had been implemented already in the past, however, the 4.2 upgrade knocked it out. To change this in 4.1.1 is just a matter modifying the APEX_040100.WWV_FLOW_ERROR package.
Does anyone have any suggestions here? Any and all would be appreciated!
Thanks in advance,
How about using the standard APEX error handling procedure?: APEX 4.1 &#8211; Error Handling Improvements &#8211; Part 1 | Inside Oracle APEX by Patrick Wolf
Thanks for your information, however, this is specific to application level error handling. We are already implementing this feature in our application. We are looking to change error messages only on the screen you get while trying to access an application that is not there.
What is the specific security issue you are facing?
This sounds like a generic penetration test, perhaps something along the lines of "Error messages reveal the underlying technology" or "Error messages can contain information helpful to an attacker". This is because of the ORA- messages. I would push back on this and see if you can argue the point that;
a) The technology can not be hidden, we (for example) have written detection routines for nessus to detect APEX without relying on any error output.
b) Ask for a *specific* example where the framework error message has lessened the security posture of the application/framework.
c) If you cannot then you really do need help to ensure that any changes/patches to the framework do not decrease application stability. What is the risk to the business? Can the business accept this low risk?
d) Just because somebody saw an 'ORA-01403: no data found' message once doesn't instantly mean you are insecure.
Though saying that, it would be a good feature to suggest, certainly a 'turn all errors off' might easily combat these types of over-zealous security reports: https://apex.oracle.com/pls/apex/f?p=55447
I finally found how this can be done. You will need to modify the package APEX_040200."WWV_FLOW_PAGE". Procedure: "RENDER_ERROR_PAGE". If you ever patch/upgrade APEX you will most likely need to remodify this package. For anyony looking for the solution for APEX 4.1, simply modify the WWV_FLOW_ERROR package owned by APEX_040100.