My Oracle Support Banner

Improper Cache-Control : Cache-control is not Enabled for Pages Contain Users' Submitted Information (Doc ID 2632524.1)

Last updated on JUNE 10, 2021

Applies to:

Oracle Financial Services Revenue Management and Billing - Version 2.6.0.1.0 and later
Information in this document applies to any platform.

Symptoms

On RMB v2.6.0.1.0, Cache-control is not enabled for pages that contain users' submitted information.

The ORMB application does not set proper "Cache-Control" headers. This may cause browsers to store the page under the user's browser cache and can bring security vulnerability.

ACTUAL BEHAVIOR
-------------------------------
1. Allow users to display content of any file in some of the search screens without saving the file first.
2. Allow any user to locate sensitive information via browser cache.

EXPECTED BEHAVIOR
-----------------------------------
1. On response that does not display the contents inline, add the following header to prevent Internet Explorer users from opening the file without saving:
X-Download-Options: noopen.
This option is required for Data Explorer Export to Excel feature.
2. Restrict accessing of browser cache for any Sensitive information.

STEPS
-----------------------
1. Search results in any UI that has display results in tabular form.
2. Access browser cache to locate information by other users.

BUSINESS IMPACT
------------------------------
This may cause a security issue as one may search through the browser's cache to locate information that was submitted earlier. This is a security issue when users are different accessing a public machine. Also not allowing to access a file content in browser directly is expected for similar security reason.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.