Security issues in oracle ApEx

Similar Questions

• Database Oracle Express security issues

  Hello
  
  I really hope you can help me with this.
  
  I have a machine with Ubuntu installed Server and Oracle 10 g 10.2.1.0 database Express, currently I had some security because of a spam bot problems and some zombie running process on my server, I already closed all ports which are not very necessary.
  
  After doing a Scan of Nessus, the results were a lot of patches Oracle are needed, after some research, I discovered that it takes a CSI.
  
  My question is this, is there an alternative to the installation of this paches? As the upgrade to 11g maybe would solve my problem?
  
  Thank you very much in advance.
  
  Gustavo.

  If you are concerned about potential security issues, you can consider getting a paid license and support - not available/possible services with XE.

  That said, 11.2 XE is likely to have another set of bugs, but as is 11.2.0.2 version that is not a basic version it might be beneficial. You just need to install it and try it! (Note: there is no way to upgrade with XE, AFAIK)

• Security issue with APEX LDAP authorization

  Hello
  We use LDAP authentication in our applications. Now, the ADMINISTRATOR stressed that all passwords are saved in the logs if monitor you the session apex_public_user with dbms_monitor.session_trace_enable (you define binds to true to get the parameters passed).
  
  Although it could be argued that a user how is allowed to run dbms_monitor should be a s/n trust, the requirement is to hide passwords in logs. To my knowledge, it is impossible to do, or am I have wrong here?
  
  If this is true, is the only option to use safely LDAP is for the browser authenticate directly, without going through any logic apex?
  
  Best regards
  
  Jürgen

  Hi Jürgen,

  How your custom permission of LDAP look like? You call the APEX_LDAP package? If you want to avoid the bind variable in this context to prevent their record in the trace file, you can use the V function instead. For example:

  if apex_ldap.is_member (
         p_username => :P101_USERNAME,
         p_pass     => V('P101_PASSWORD'),
         ... ) then
  

  Concerning
  Patrick
  -----------
  My Blog: http://www.inside-oracle-apex.com
  APEX Plug-Ins: http://apex.oracle.com/plugins
  Twitter: http://www.twitter.com/patrickwolf

  Published by: Patrick Wolf on November 19, 2012 14:26

• XMLFile parameter is not supported by Oracle APEX, please use the setXMLFile() method

  "XMLFile parameter is not supported by Oracle APEX, please use the setXMLFile() method.

  I created a test web app in apex.oracle.com to try a few things. I created a Flash 2D pie chart in a Web page, and it seems to make very well. But before rendering, I get the error message above, on the region of graph for 1-2 seconds.

  Can anynone tell me what means the error message above and why I'm getting this. I do not use a custom XML part. Has not changed the default settings of the chart area.

  I could see above the error appearing clearly since the apex.oralce.com is so slow... and graphics region takes awhile to load. Otherwise I could not have noticed. It happens in the IE8 and Google chrome.

  Oralce Apex 4.2.5.00.006 (https://apex.oracle.com)

  Google Chrome 34.0.01847.116

  Internet Explorer 8.0.6001.19518

  Can anyone help please. I'll try to become a test application setup dispalying this awhile earlier error message.

  I used HTML5 graphics in apex 4.2.0.00.27 in my office in my real application workspace. Most of my users still use IE8. HTML5 graphics all appeared well in their IE8 browser. One fine day, some parameters must be changed by my network administrator or soemthing else could have happened. I have no idea. My webapplication HTML5 graphics disappear IE8 users. IE9 users had no problem. I contacted our IT support staff of any changes to security settings that day, or earlier. Absolutely no help from my frustration. I have to change maps of my application (only about 6 of them) to the Flash graphics to overcome this obstacle. This is the story behind why I use Flash cards. If anyone has experienced a similar problem in IE8 HTML5 graphics please shed any light for me... This problem may be nothing to do with the "XMLFile parameter error message', but I'm not sure.

  You strike again BUG introduced with Oracle Application Express 4.2.5

  http://www.Oracle.com/technetwork/developer-tools/Apex/application-express/Apex-425-known-issues-2186292.html

  18601802 - ANYCHART XMLFILE WARNING DISPLAYED BEFORE FLASH GRAPHICS RENDERING when Flash graphics that take a long time to make, the user can see the following warning message appears briefly "XMLFile parameter only is not supported by Oracle APEX, please use setXMLFile() method.» The table will be always delivered. Solution: Please advise end-users to ignore the message.

• Public using DBLinks in Oracle APEX

  Hi all, have no restrictions in the use of public DBLink Oracle apex?

  Thank you.

  No, if you can run the query in the analysis schema then APEX will show it. This is an old post on the subject.

  ORACLENERD: APEX: database of links

  Also check the security settings for application for ' Code PL/SQL for cleaning.

  http://blog.iAdvise.EU/2011/12/20/using-a-database-link-with-heterogeneous-services-in-apex/

• How to limit navigation directly via the URL when the user tries to type the page number and access this page in ORACLE APEX 4.2

  Hi all

  I developed an application where I have 6 pages and 5 tabs and based on the user role I posted the tabs for the user to access these pages.

  But when the user, who doesn't have access to the particular page (say, page 2), but still the user can navigate to it directly by typing the page number in the URL.

  I want to avoid such scenarios.

  eg: http://Apex.Oracle.com/f?p=110:2 , when the user type this in the address bar, it navigates the user to this page even if this particular user does not have access to this page.

  How to prevent the user to navigate through the URL, if the user tries to navigate directly through URLS rather than tabs, I have to give the error message.

  Version: ORACLE APEX 4.2

  Thank you

  Good reading this recent post

  Re: Authentication at the Page level

  All links to a page and the page itself must be secure.

  You can also consider the protection of session state to prevent tampering of the URL.

• Export of apex (oracle.apex.APEXExport) on Oracle 12 c and ORA-28040

  Customer running of Java oracle.apex.APEXExport (from Apex v4.2.5) against a 12.1.0.2 RAC - and JDBC connection failure made with a ORA-28040: no authentication protocol for. (works without problem against all our 11g RAC)

  Oracle MOS see Notes section Configuration of SQL * Net of parameters (SQLNET.) ALLOWED_LOGON_VERSION_CLIENT and SQLNET. ALLOWED_LOGON_VERSION_SERVER) to an earlier version (example 8) on the client and the server, bouncing the listener, etc.

  Googling turned up the solution to the CLASSPATH to include the ojdbc6.jar (as the first jar jdbc in the path) - and only using one more late JDBC driver/pot solves the problem.

  Played a bit with both options, but not luck. Always get the error ORA-28040 .

  Ideas, comments and suggestions will be appreciated on how to address this issue.

  Well, problem solved. With the CLASSPATH workaround works fine - if done correctly.

  Find an odbc6.jar on the platform, for example

  find $ORACLE_HOME-name ojdbc6.jar

  Set the classpath the jar of real and then in the utilities directory in your file Apex (i.e., the location where you have unpacked your download Apex). For example

  export CLASSPATH=/u01/app/oracle/product/11.2.0/dbhome_1/jdbc/lib/ojdbc6.jar:/software/apex/utilities

  Now run export Apex by following the instructions, for example

  Java oracle.apex.APEXExport - db :: -user -password -instance

• Political life support Oracle APEX 5/ADR 3

  I looked at all at the time of the strategy paper of Oracle support to life

  I'm curious to know if/when this will be updated with the latest versions of the APEX and ADR

  Hi Matt,

  I think it was an oversight that the current version of the document Oracle Lifetime Support policy does not include the latest version of Oracle APEX 5.0.  The revised version, which I believe is set for publication by the end of July, he'll understand.  In the meantime, you can refer to our RTO page for the latest information of support policy to life for Oracle APEX, accessible via the learn more > guarantee section: http://www.oracle.com/technetwork/developer-tools/apex/learnmore/apex-support-1866620.html.

  I have contacted the team development of ADR, to report missing information for ADR 3.0 on the document and I am sure that this issue will be resolved as soon as possible.

  Kind regards

  Hilary

• Y at - it DB Oracle options that do not work with Oracle Apex

  Hi team,

  Y at - it options Oracle DB (DB audit vault wall and fire. HCC, advanced... Security etc) which will not work with Oracle Apex. Please let us know of a few documents if you

  Thank you kindly,

  Hi Rhine23,

  Rhine23 wrote:

  Y at - it options Oracle DB (DB audit vault wall and fire. HCC, advanced... Security etc) which will not work with Oracle Apex. Please let us know of a few documents if you

  It's the kind of question that can be answered with My Oracle Support | First Oracle Support or you can write to the APEX [email protected] about this application development team.

  Also, see the "Support" section at the end of the page Oracle Application Express - downloads.

  I hope this helps!

  Kind regards

  Kiran

• Oracle apex 5.0: pass values from one page to the other as well save you can save same value in the table.

  I use oracle apex 5.0

  Issues related to the:

  (1) I created an application where I have a form on which I have a button named 'Add', now if I click on that button values need to be stored in table.how to create! I use the dynamic button that is created by the html tag < input type = "button" > need help with this.

  (2) if the value stored in the table how the same value will be on the agenda of the calling page. ?

  New to this world of Apex.

  concerning

  Pranav shah

  http://zderadicka.EU/Apex-dynamic-actions-with-report-region/

• Jasper on oracle APEX integration error. "Error: file null.jasper not found.

  Hi all

  Recently, we have configured Oracle APEX and configured report Jasper on Glassfish 4.1. Everything went well, but when you try to run the test report we get following error.

  "Error: file null.jasper not found.

  Can anyone help with this?

  Database: Oracle 11g R2

  APEX: 4.2

  GlassFish 4.1

  Report of Jasper 1.3.0.2

  Hi Kiran,

  Thanks for your reply, we used the same link for integration.

  But now we have solved the problem. The issue was with the version of Glassfish. It seems that report jasper is not compatible with the 4.1. So, we removed 4.1 Glassfish and install Glassfish 3.1. That solved the problem for us.

• Oracle APEX help validate users

  Hello

  Please let me know, how I can activate a button for some specific users to Oracle APEX.

  Only when these users login, they can show the button, but when other users are registered in the button should be hidden.

  Please let me know if there is an article on this existing already or any reference on how to do this.

  Thank you

  Valsaint

  Hi valsaint.

  Alessandro wrote:

  Hello

  Please let me know, how I can activate a button for some specific users to Oracle APEX.

  Only when these users login, they can show the button, but when other users are registered in the button should be hidden.

  Please let me know if there is an article on this existing already or any reference on how to do this.

  Thank you

  Valsaint

  By creating a system of authorisation and then assign to the Page or its components.

  Reference: http://docs.oracle.com/cd/E37097_01/doc.42/e35125/sec_authorization.htm#HTMDB12004

  If you are using Application Express accounts for the management of users, then you can also create a page of access control:

  Reference: adding security to your Application database using Oracle Application Express 4 2

  I hope this helps!

  Kind regards

  Kiran

• Site Web of Oracle ApEX based

  I intend to create a Web site using Oracle ApEX and a question about security, authentication.

  Most of the pages are going to be public to anyone, but some of them will require authentication. My question is what is the guideline to handle this? If I activate an authentication on application level scheme then each visitor is going to land directly on the login page when you visit the Web site, which is not good. I intend to place a login box area of the public pages, so users can connect / register if they want to.

  Your help is very appreciated!

  Hi user13428604,

  user13428604 wrote:

  Update your 'user13428604' user ID to something meaningful. Reference: Video tutorial how to change username available

  I intend to create a Web site using Oracle ApEX and a question about security, authentication.

  Most of the pages are going to be public to anyone, but some of them will require authentication. My question is what is the guideline to handle this? If I activate an authentication on application level scheme then each visitor is going to land directly on the login page when you visit the Web site, which is not good. I intend to place a login box area of the public pages, so users can connect / register if they want to.

  Your help is very appreciated!

  You can have Oracle APEX application pages are public, even if the authentication is enabled at the application level. You define the Attributes of Page -> authentication Page is Public for pages that are going to be public. The pages that are not public, to set the Attributes of Page -> authentication Page requires authentication(which is set by default to the creation of the page). So when the user accesses the public pages, the app will not ask the user for authentication, but when he tries to access the page with all of the authentication, it will ask you for credentials.

  It's Security page attributes screenshot where you want the public pages:

  

  Reference:

  • The authentication scheme documentation
  • Related documentation of the Security page attributes

  I hope this helps!

  Kind regards

  Kiran

• Oracle Apex 4.2.4 cannot create PDF

  I can't create PDF reports through the use of Apex.

  (1) I have installed Oracle XE, upgrade the application Express of Apex 4.2.4.00.08

  (2) in the print report Listener Oracle APEX value Instance settings

  (3) established a basic report of the emp demo table

  (4) set to allow reporting printing = 'yes '.

  When I run the report and select pdf I get error message not a pdf file is valid.

  Open the file in wordpad and it contains, given therefore seems not to be conversion from XML to PDF format below.  Any ideas what I am doing wrong! :

  <? XML version = "1.0" encoding = "UTF-8"? >

  < apexListnerFOP >

  < DOCUMENT >

  < DATE > 07/03/2014 < / DATE >

  STAFF of < user_name > < / username >

  < > 101 APP_ID < / APP_ID >

  Ridgway library < APP_NAME > < / APP_NAME >

  < > 12 PAGE_ID < / PAGE_ID >

  Report < TITLE > 1 < /title >

  < REGION ID = "2221822669173184" >

  rowset <>

  < ROW >

  < > 7369 EMPNO < / EMPNO >

  SMITH < ENAME > < / ENAME >

  CLERK of < JOB > < / JOB >

  < MGR > 7902 < / MGR >

  < HIREDATE > 17/12/1980 < / HIREDATE >

  < > 800 SAL < / SAL >

  < COMM > < / COMM >

  < DEPTNO > 20 < / DEPTNO >

  < / ROW >

  The issue was the auditor of the Apex.  I didn't properly configure it.

  I've recreated the service ensuring that account APEX_PUBLIC_USER has been unblocked and APEX static resources highlighted in apex/pictures folder.

  Now works.

• How do I run the exp for the backup command in Oracle APEX 4.0

  Hello!
  
  I use APEX 4.0 with Oracle R11i. For the daily backup, I have to use the procedure "CMD". Is it possible to run this script "EXP" through a BUTTON or something in Oracle APEX 4.0
  
  Are you looking for a quick answer
  Kind regards

  The short answer is: No.
  exp is a command line (DOS) and due to browser restrictions/security, you can't run a command from a browser (malicious website would like this feature, run "format c: /" browser...).