Enterprise Manager DBCONSOLE Subject To ClickJacking
(Doc ID 2579250.1)
Last updated on SEPTEMBER 17, 2019
Applies to:Enterprise Manager for Oracle Database - Version 184.108.40.206 to 220.127.116.11 [Release 11.2]
Information in this document applies to any platform.
Clickjacking vulnerability reported by Nessus scan.
Click Jacking (http-generic-click-jacking) Description: Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe
they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page.
The note below does not apply to DBControl 11.2:
Editing the /apps/ordev/product/11.2.0/sysman/config/httpd_em.conf with line:
header always set x-frame-options "SAMEORIGIN"
Has no affect.
Configure the X-Frame-Options Header to Mitigate Clickjacking Attempts in DB Control
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document