My Oracle Support Banner

Enterprise Manager DBCONSOLE Subject To ClickJacking (Doc ID 2579250.1)

Last updated on SEPTEMBER 17, 2019

Applies to:

Enterprise Manager for Oracle Database - Version 11.2.0.4 to 11.2.0.4 [Release 11.2]
Information in this document applies to any platform.
Clickjacking vulnerability reported by Nessus scan.

Click Jacking (http-generic-click-jacking) Description: Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe
they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page.

The note below does not apply to DBControl 11.2:
- How to Configure the X-Frame-Options Header to Mitigate Clickjacking Attempts Using OHS and WLS Applications

Editing the /apps/ordev/product/11.2.0/sysman/config/httpd_em.conf with line:
header always set x-frame-options "SAMEORIGIN"

Has no affect.



Goal

Configure the X-Frame-Options Header to Mitigate Clickjacking Attempts in DB Control

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.