Solution Beacon, LLC, Oracle Applications, consulting, database administration, oracle application implementation, implementation, upgrade, resource, resources

News

Whitepapers

Best Practices

Links

Solution Beacon Security Best Practice #16 - Limit Access To Forms Allowing SQL Entry

Believe it or not, the E-Business Suite actually has numerous forms that allow users to enter SQL statements that get executed directly to the database, which means that no controls are in place to prevent an internal bad guy from abusing this privilege. This is a significant attack vector that needs to be mitigated if at all possible!

The table below shows the Forms that allow users to enter SQL statements, edit code, add code or otherwise affect executable code. Access to these forms should be (in order of preference) eliminated or restricted to a small group of users. If the business justification means that the access cannot be eliminated, then I would strongly suggest that auditing be turned on for those tables.

EBS Forms That Accept SQL Statements

Form Function	Form Name	Table Name
ALR_ALRALERT	ALRALERT	ALR_ALERTS
FND_FNDCPMCP_SYS	FNDCPMCP	FND_CONCURRENT_PROGRAMS
FND_FNDCPMPE	FNDCPMPE	FND_EXECUTABLES
FND_FNDFFMDC	FNDFFMDC	FND_DESCRIPTIVE_FLEXS FND_DESCR_FLEX_CONTEXTS FND_DESCR_FLEX_COLUMN_USAGES
FND_FNDFFMVS	FNDFFMVS	FND_FLEX_VALUE_SETS FND_DESCR_FLEX_COL_USAGE FND_ID_FLEX_SEGMENTS FND_FLEX_VALIDATION_TABLES FND_FLEX_VALIDATION_EVENTS
FND_FNDPOMPO	FNDPOMPO	FND_PROFILE_OPTIONS
FND_FNDSCAPP	FNDSCAPP	FND_APPLICATION
FND_FNDSCDDG	FNDSCDDG	FND_DATA_GROUPS FND_DATA_GROUP_UNITS
FND_FNDSCMOU	FNDSCMOU	FND_ORACLE_USERID
PSB_PSBSTPTY	PSBSTPTY	PSB_ATTRIBUTE_TYPES
MSDCSDFN	MSDCSDFN	MSD_CS_DEFINITIONS
MSDCSDFA	MSDCSDFA	MSD_CS_DEFINITIONS
MSD_MSDAUDIT	MSDAUDIT	MSD_AUDIT_SQL_STATEMENTS
JTFRSDGR	JTFRSDGR	JTF_RS_DYNAMIC_GROUPS_B JTF_RS_DYNAMIC_GROUPS_TL
JTFBRWKB	JTFBRWKB	JTF_BRM_RULES_B
ONT_OEXPCFVT	OEXPCFVT	OE_PC_CONSTRAINTS OE_PC_CONDITIONS OE_PC_ASSIGNMENTS OE_PC_VTMPLTS
ONT_OEXDEFWK, QP_OEXDEFWK	OEXDEFWK	OE_DEF_ATTR_DEF_RULES
JTFTKOBT	JTFTKOBT	JTF_OBJECTS_B JTF_OBJECTS_TL JTF_OBJECT_USAGES
JTF_GRID_ADMIN	JTFGRDMD	JTF_GRID_DATASOURCES_B JTF_GRID_COLS_B
JTFGDIAG	JTFGDIAG	JTF_GRID_DATASOURCES_B JTF_GRID_COLS_B
JTFGANTT	JTFGANTT	JTF_RS_RESOURCE_EXTNS JTF_RS_GROUPS_B JTF_RS_TEAMS_B
QP_QPXPRFOR	QPXPRFOR	QP_PRICE_FORMULAS_B
QP_QPXPTMAP	QPXPTMAP	QP_ATTRIBUTE_SOURCING
GMAWFPCL_F	GMAWFPCL	GMA_PROCDEF_WF