Risk of Information Leakage from the Oracle E-Business Suite - Validation Levels
Through parameter and URL tampering an attacker, or nefarious insider, can manipulate and/or construct URLs to expose information and/or attempt to circumnavigate Oracle E-Business Suite functionality - including parts of application security. There are several profile options that provide defense in depth against cross-site scripting (XSS), HTML injection attacks, and parameter and URL tampering. Setting these profile options to the recommended values below will contribute to reducing your information leakage risks.
If you have questions, please contact us.
|
Profile Option |
Default Value |
Recommended Value |
|
FND: Validation Level |
Error as of R12 |
Error (R12.2 does not allow to be changed) |
|
FND: Function Validation Level |
Error as of 11.5.10 CU 10 |
Error (R12.2 does not allow to be changed) |
|
Framework Validation Level |
Error as of 11.5.10 CU 10 |
Error (R12.2 does not allow to be changed) |
|
Restricted Text Input |
Yes |
Yes |
|
FND: Fixed Key Enabled |
Null |
Yes |
|
FND: Fixed Key |
None |
Yes, only at User level |
References
- Secure Configuration of Oracle E-Business Suite Profiles (MOS Doc ID 946372.1)
- Oracle Application Framework Profile Options (MOS Doc ID 1107970.1)
