Security Risk In QP Attribute Mapping
(Doc ID 2784306.1)
Last updated on JUNE 14, 2021
Applies to:
Oracle Advanced Pricing - Version 12.1.3 and laterInformation in this document applies to any platform.
Goal
Security Risk in QP Attribute Mapping
It is possible to inject PL/SQL using the Attribute Mapping within Advanced Pricing of EBS.
Further, the form does not seem to support forms personalization. Therefore, we cannot add a forms personalization to secure the vulnerability.
The problem is that a user can enter the semi-colon character in the "User Value String". After that line terminator, the user can enter lines of PL/SQL code.
I have tried to raise an error for the following conditions on form QPXPTMAP:
INSTR(:SRC1.USER_VALUE_STRING, ';', 1 ) > 0
AND INSTR(${item.src1.user_value_string.database_value},';',1) = 0
AND INSTR(:SRC2.USER_VALUE_STRING, ';', 1 ) > 0
AND INSTR(${item.src2.user_value_string.database_value},';',1) = 0
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |
References |