1 Reply Latest reply on Jul 11, 2017 2:13 PM by SH_INT

    FDMEE: terrible location security bug

    finskiy

      Hello!

       

      It's incredible.. once again i felt ashamed of the product that we are introducing to the customer..

       

      FDMEE 2.4 PSU210:

      1) Create location "LOCNAME", for example - parent location.

      2) Create location "LOCNAME_2", for example - children of "LOCNAME" location.

      3) Setup security,turn on "enable security by locations", create hss groups like "fdmee_<location>_i5", add test user ONLY in "fdmee_LOCNAME_2_i5" with role for using data load workbench.

      4) Check that test user have only access for "LOCNAME_2" location and doesn't have access for parent location "LOCNAME".

      5) Add one more test native group, like "test_LOCNAME_test", WITHOUT ANY ROLES! ..just empty new group. Add ur test user in this group.

      6) Relogin with ur test user!   *Taa-daaaa-ms!* -> U Have FULL access for parent location "LOCNAME" !!!

       

      FDMEE check location logic is:   "find 1st underscore ("_") in groupname, find last underscore char.. the string between thoose under_score chars whill using as location name for futher security checks... ^_^

       

      We have already opening SR with high severity, but this is terrible bug.. our customers have a lot of groups with different name with location names and under_scores.. i think it's fail for Oracle Development and Testing teams.. sorry, i'm sad.

       

      Cheers,

      Artem.