My Oracle Support Banner

How To Disable OHW "Online Help" Module In SES Environment (Doc ID 2173059.1)

Last updated on FEBRUARY 01, 2019

Applies to:

Oracle Secure Enterprise Search - Version 11.2.2.2.0 and later
Information in this document applies to any platform.

Goal

 Its been noticed that a few third party scanning tools reporting OHW URLs in SES environment vulnerable to SQL Injection.

Ex: "http://<HOSTNAME>:7777/search/query/ohw/help/state/content/destination.1~-1~-1~2~-0~-1~6~/expanded.1~3~/navId.1/navSetId._/oldNavId.1/oldNavSetId._/?navId=0 AND 2481=2481 AND 2481=2482&amp;locale=atestu&amp;destination=atestu&amp;oldNavId=1&amp;source=atestu&amp;navSetId=_&amp;oldNavSetId=_&amp;vtTopicFile=atestu&amp;selNode=atestu&amp;event=switchNavigator&amp;setSel=atestu".

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
  
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.