Tuesday, May 28, 2013

Oracle e-Business suite notification mailer security

Oracle e-business suite makes use of workflows for the business processes. In some cases the workflows make use of the workflow notification mailer. This can for example be used to inform someone that a purchase order is pending approval and that this person needs to approve the purchase order can continue in the process. 

The workflow engine and the workflow notification mailer are great options in Oracle e-Business suite and is used for standard functionality and for custom workflows specifically created to tend to a companies need. 

There is however a security risk associated with the notification mailer. There is a SEND_ACCESS_KEY option. When you set this option to Y the mail generated and send to the user will contain a link with an access key in it. This will enable the user to directly access the notification in the system when clicked on the link. While this makes good sense from a user friendly point of view it is a bad thing when we look at it from a security point of view. 

People who intercept the mail or gain access to a mailbox will be able to click on the link and access the notification without the need to know the users username and/or password. 

For this reason it is highly advisable to set SEND_ACCESS_KEY to N. When set to N the user will receive a mail which contains a link which will not contain a access key and the user will be forced to enter his credentials before he can access the notification details page. 

Making the decision to put SEND_ACCESS_KEY to Y or to N is for some parts a business decision. How friendly do we want to make the system? In another part it is a security related question, “do we want to provide access to information without the need for authentication?”.

Advisable is to set SEND_ACCESS_KEY to N. 

Oracle adpatch security considerations

When patching an Oracle database you will make use of opatch ($ORACLE_HOME/OPatch) and when patching an Oracle application you will make use of adpatch ($AD_TOP/bin). When we look at the Oracle security best practices there are some advices around the use of adpatch which are not commonly know and are not commonly applied when maintaining an application. 

Main issue in regards to security in relation to adpatch is that when you apply a patch using adpatch the log file will contain the passwords you have used. When developing adpatch this might possibly have looked OK to the developers however in most cases this is very unwelcome. Having a clear text file on your filesystem which contains passwords is never a good thing and should be prevented. 

To ensure that the password is not stored in the logfile you can set a flag to prevent this. You will have to use adpatch flags=hidepw . When using this the passwords you provide to adpatch will not be shown in the log files. 

You should ensure that your Oracle application is only patched while using this flag to prevent someone from compromising the password when they gain access to the logfile. 

Tuesday, May 07, 2013

Perl use an array variable

Perl, as many other languages has a array variable type. Accoording to Wikipedia an array is the following in computer science: In computer science, an array type is a data type that is meant to describe a collection of elements (values or variables), each selected by one or more indices (identifying keys) that can be computed at run time by the program. Such a collection is usually called an array variable, array value, or simply array. The use of an array is a very effective way of storing variabels in something that is most comparable to a list of things.

In the below example we stored some of the names of a phonetic alphabet in the variable phonetic:

my @phonetic = ( "Alpha", "Bravo", "Charlie", "Delta" );

Now if we want to do something with it we can call the variable @phonetic however this would give you the entire collection of all values in the array. For example using the print command:

my @phonetic = ( "Alpha", "Bravo", "Charlie", "Delta" );

print @phonetic;

this would give you a result you most likely do not want, namely:

As you can see this is printed without any space between it or a newline. Simply using all the values from the array in the print command at once. In many cases you would like to take all the values of the array one by one. In some cases, for example adding up all the numerical values in the array, you might want to use it in this way however in most cases you would like to loop value per value.

In the example below we loop the array and do a print for every value in the array.

my @phonetic = ( "Alpha", "Bravo", "Charlie", "Delta" );

foreach (@phonetic) {
 print $_ . "\n";

When running this example you will see that we do not get the result all in one line as was with direct print on the array. Now we will have a result as shown below;


In some cases you would like to do an action on a certain value. Every value in an array has an index number (starting at 0). So lets say we want to print the value Charlie we have to call the array value with the index number 2. The below example will print the value "Charlie"

my @phonetic = ( "Alpha", "Bravo", "Charlie", "Delta" );

print @phonetic[2];

Sunday, May 05, 2013

A lot of people do read information online and use online resources when figuring out how to code solutions. Online a lot of great resources can be found to support developers. One thing a lot of people do not think about however is that there is, in my opinion, some moral duty to also share back. People who do use online resources for free and learn from it and even make profit with the gathered knowledge should also share back. When you do share information it is good to remember also how you as a consumer of information would like to read the information. When it comes to code for example it is nice to see a good formated piece of code.

When placing code online it is good to do this in a way that it is formated in a nice way so that reading the code is more easy. To help you with this task when blogging you can make use of the Google Code Prettify project. The Google Code Prettify project brings you support for syntax highlighting of code snippets in a web page. For example the code part below is done by making use of this.

class Voila {
  // Voila
  static const string VOILA = "Voila";

  // will not interfere with embedded tags.

The Google Code Prettify project has a number of options for syntax highlighting for specific languages. You can find a list of them at the google code page. here you can also find ways on how to implement the Google Code Prettify solution on your blogger page and or your customer website.