My Oracle Support Banner

Security Risk In QP Attribute Mapping (Doc ID 2784306.1)

Last updated on JUNE 14, 2021

Applies to:

Oracle Advanced Pricing - Version 12.1.3 and later
Information in this document applies to any platform.

Goal

Security Risk in QP Attribute Mapping
It is possible to inject PL/SQL using the Attribute Mapping within Advanced Pricing of EBS.

Further, the form does not seem to support forms personalization. Therefore, we cannot add a forms personalization to secure the vulnerability.

The problem is that a user can enter the semi-colon character in the "User Value String". After that line terminator, the user can enter lines of PL/SQL code.

I have tried to raise an error for the following conditions on form QPXPTMAP:

INSTR(:SRC1.USER_VALUE_STRING, ';', 1 ) > 0
AND INSTR(${item.src1.user_value_string.database_value},';',1) = 0
AND INSTR(:SRC2.USER_VALUE_STRING, ';', 1 ) > 0
AND INSTR(${item.src2.user_value_string.database_value},';',1) = 0
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.