FR reports security Issue

Similar Messages

• Sql Server 2008 Reporting Security issue ( added name to Server, some how cannot acces the report ) getting error message

  have added name to Sql server , users cannot access the report, getting error message ,
  I have give all the permission to this users, so why this users still cannot look at the report,
  and getting error message,
  An error has occurred during report processing.
  cannot create a connection to data source Ax live
  for more information about this error navigate to the report server on the local server machine or enable remote errors.
  can some please help me what this message means,
  I really appreciate it
  thanks In advance

  If "Credentials supplied by the user running the report" is selected, when the report is run, the user will be prompted to provide credentials.  They would need to provide credentials that have the appropriate permissions (e.g., read, execute) to the
  database.  This prevents the double hop.
  If "Credentials stored securely in the report server" is selected, you have to enter the username and password of a user (or service account) that has the appropriate permissions (e.g., read, execute) to the database. When the report is run, SSRS will use
  these stored credentials each time to authenticate to the database engine and query the data.  Users running the report are not prompted to provide credentials.  With this option you can use an Active Directory or SQL Server account.
  In order to access/run the report, a user will need to authenticate to SSRS.  There are options here as well. You can provide them the link to the report manager and they can authenticate, navigate to, and run the report.  You can also provide
  direct links to reports that users click in a document or application.  At this point the user is typically still prompted to authenticate to SSRS.  You can also programmatically call the report using API's and essentially build a proxy that authenticates
  to SSRS and open the report.
  Not sure if that answers your question.

• RV042 reports tunnel disconnection without connection for foreign IP, Security issue?

  Dear all,
  we are recently working with a RV042 router, with VPN group tunnel (connectig throw shrew VPN). Last days router is logging disconnections like this ("[XXX]" text replaced for security reasons)
  Dec 9 17:02:58 2014 XXX VPN Log: (grpips0)[72] [XXX].[XXX].[XXX].0/24=== ...113.240.173.58===?: [Tunnel Disconnected] instance with peer 113.240.173.58 {isakmp=#0/ipsec=#0}
  But NO RELATED "connections" (apart from our own controled connection/disconnection) is reported previously. Is this a security issue/breach?
  (The foreign IP was left clear so if anyone knows about that particular IP, can make a comment.)
  Thanks in advance. Regards, Juan.

  Zach,
  I will try to use that approach while using dynamic IPs to connect to VPN (cannot build an stable whitelist, and this can lead to connection lost in the near future until new IP is registered in the remote router).
  What I do not understand is:
  router logs a disconnection without a previous connection
  no other activity is detected on the VPN (perhaps only spying?)
  when I disconnect, two logs are generated (in order of appearance)
  Dec [xxx] [xxx]:[xxx]:[xxx] 2014 3EFF-3196 VPN Log: (grpips0)[73] 192.168.2.0/24=== ...[xxx].[xxx].[xxx].[xxx]===?: [Tunnel Disconnected] instance with peer [xxx].[xxx].[xxx].[xxx]{isakmp=#0/ipsec=#0}
  Dec [xxx] [xxx]:[xxx]:[xxx]2014 3EFF-3196 VPN Log: (grpips0)[73] [xxx].[xxx].[xxx].0/24=== ...[xxx].[xxx].[xxx].[xxx]===? #220: [Tunnel Established] ISAKMP SA established
  when foreign IP disconnects, only one is generated (e.g. whitout #220)
  Does this have an explanation?
  Thanks again, Juan.

• BI Security issue

  Hi,
  We applied BI Security filters for two of the facts which are used in our report. Issue is report is erroring out , only one security filter is getting applied corresponding to one fact. Can anybody comment on why this is happening.
  fyi : Both facts are same except other fact has an extra join to one dimension.
  Thankyou,

  what is the error you are getting?

• Why is Java Deployment Toolkit (click-to-play) blocked, also the referenced bug is closed and there are no security issues known in Version 7 U51?

  I think it is important to block unsecure addons. But if you do so there should be an open bug assigened. The referenced bug for this add-on is allready resolved so I do not know why this plugin is disabled. https://bugzilla.mozilla.org/show_bug.cgi?id=636633
  I have the problem that I want to use Secure_Auth that is using the Java Deployment Kit in such a nasty way (via javascript) that firefox doesn't see that the deployment kit should be started. Therefore I will not be asked to allow this plugin always for this web site. Since there is no documentation available how to do this configuration in a config file I am stuck at the moment.
  I'm a liitle bit suprised that blocking all versions (even secure versions) is a way to get a good user experience.
  Regards
  Martin

  ''MG_DAU wrote:''
  The referenced bug for this add-on is allready resolved so I do not know why this plugin is disabled. https://bugzilla.mozilla.org/show_bug.cgi?id=636633
  That's a bug report in the Blocklisting component, meaning it's a request to add an add-on to the blocklist. The fact that it's marked as fixed means the add-on has been added to the blocklist.
  * https://addons.mozilla.org/firefox/blocked/p428
  * [[Add-ons that cause stability or security issues are put on a blocklist]]
  Given that there's no way to disable Click-to-Play for this plug-in (the only options are Ask to Activate or Never Activate), if Firefox doesn't trigger a Click-to-Play prompt, I see no way to use it apart from disabling the entire blocklist. This carries a considerable security risk, as no plug-ins will be blocked or set to Click-to-Play, including known malware. If you're sure you want to go through with it, set ''extensions.blocklist.enabled'' to '''false''' in [http://kb.mozillazine.org/About:config about:config].

• Security issues for Discoverer 10g apps 12i

  gurus,
  I have couple of things to get it done at client.
  We are on Oracle Apps rel 12i with dicoverer 10g.
  Did anyone setup MOAC to be enabled and operational in business areas?
  Setting up secure responsibilities in discoverer for MOAC?
  Any setup needs to be done for custom report security in discoverer ?
  thx

  Hi,
  I did setup new MOAC security profiles and assigned multiple organizations to that profile for testing purpose.
  After this, I did run concurrent program "Security List Maintennce" etc...
  Tested Upding profile at user level or responsibility level.
  On APPS side fine.
  I need the some basic steps on setup of security issues for discoverer side.
  1) Business areas (any security steps need to be followed in order to access data for single or multi-org)
  2) Custom Reports ( any security setup or any moac security profile setting against responsibilty for accessing single or multi-org data)
  Since we dont have default operating unit parameter as specified in the concurrent program, how do you restrict data?
  3) Reconciling security approach r12 with discoverer (any steps need to be followed here after r12 configuration with security issues)
  4) Custom Views ( any steps to be followed for single or multi-org data as security aspect)
  Looking for info on these setups.
  Thx

• Security issue in DNS ! Update bind.

  Apparently there is a massive security issue in DNS protocol : http://securosis.com/2008/07/08/dan-kam … -released/
  or http://www.kb.cert.org/vuls/id/800113
  I am surprised I haven't seen any post on the forum about it. For now a solution could be to update bind to 9.5.0-P1 (I don't know if the one in testing is this particular one, there is no "P1").
  Every DNS server has to be upgraded since the issue is in the protocol, not in the code !

  A lot of systems got updated yesterday/today. I just checked a Windows Server 2003 x64 RC2 at work; yesterday it was vulnerable, but today it's reported safe after the recent security updates (this site offers some kind of check: http://www.doxpara.com/)
  I believe all the "big" ones in Linux did release an update yesterday, so there's probably plentiful of patches around... which is beyond the limits of my brain cells at the moment.

• Powerview Cannot connect to the server due to a security issue. The server may not have been able to match the host for silverlight

  Hello,
  I have a sharepoint 2010 sp1 CU Dec 2011 server with a SQL Server 2012 SP1 CU4 reporting services instance.  I am able to open Power View and use it normally when bypassing the ISA Reverse Proxy server.  However when going thru ISA I receive the
  following Error.
  Power View  Cannot connect to the server due to a security issue.  The server may not have been able to match the host for Silverlight.  This error appears after I click yes on an Internet Explorer Display Mixed Mode prompt.
  I've seen a couple references to this issue but not much.  This one mentions a clientaccesspolicy.xml file but I haven't had any luck with that.  http://connect.microsoft.com/SQLServer/feedback/details/716433/cannot-connect-to-the-server-due-to-a-security-issue-the-server-may-not-have-been-able-to-match-the-host-for-silverlight
  Any Ideas?  Thanks.
  Ryan

  Hi Ryan,
  Based on my research, the issue should occur due to a by design behavior in Threat Management Gateway (TMG). To work around this issue, you can use SSL between the TMG and the SharePoint Web Server.
  Hope this helps.
  Regards,
  Mike Yin
  TechNet Community Support

• Security issue with connecting to Microsoft Live

  I currently use StudioCloud for my studio management software. However, I'm unable to use the email features of the software as they state "**Adobe Air has a security issue connecting to Windows Live and, as such, StudioCloud can not work with Windows Live/Hotmail at this time.**" (http://app1.studiocloud.com/support/index.php?/article/AA-00265/0).
  Are there any plans on resolving this issue?
  As a small business owner, I need to streamline my processes.  If there is a possibilty of this being fixed in the near future, then I won't look at other options, but if it isn't, then I need to determine if I will be moving my email to another host, or using a different studio managment software, or finding a different method of handing my email communications with my clients which is efficient and meets my needs. 
  Thank you.
  Catherine Bowser

  Reported via a live chat.  I must say that the guy was very helpful and said he'd reported the issue together with the tracert data I had provided.
  Afraid I lose the will when trying to speak to BT by phone!

• Security issues in Mavericks 9.04

  I just had a secure scan done on my Mavericks server. The main issues seem to be:
  OpenSSL Running Version Prior to 0.9.8za Upgrade to OpenSSL version 0.9.8za or newer.
  Apache mod_negotiation Multi-Line Filename Upload Vulnerabilities (Upgrade to Apache version 2.3.2 or newer.)
  Given that upgrading these would mean compiling and installing Apache and OpenSSL(which I'm not really keen to do) I'm wondering what experienced admins think of these threats.

  pkmusic wrote:
  Dumb question - so a self-signed SSL cert doesn't use Open SSL?
  Certificates are used with ssh and SSL/TLS and such, yes.  Most of OS X uses Secure Transport for its certificate- and SSL/TLS-related processing, but Apache does not.  Apache is linked against OpenSSL.
  Self-signed certificates lead to a different security issue.  
  An HTTPS site with a self-signed certificate will be considered untrusted by accessing web clients and the web browser will usually issue diagnostics before allowing access to the site or a diagnostic before marking the certificate as trusted, or that you've set up your own certificate chain and installed your own root certificate.  That you're asking this question implies the former; that you're not really running HTTPS with a trusted certificate chain.   Which generally means you can just shut off SSL/TLS.
  As for the original question, here's how the scanner is likely detecting the down-revision versions — if you look at the server details being returned to the client, you'll see some information on Apache and OpenSSL versions embedded in the response:
  $ telnet foo.example.com 80
  Trying 10.1.3.1...
  Connected to foo.example.com
  Escape character is '^]'.
  HEAD / HTTP/1.0
  HTTP/1.1 301 Moved Permanently
  Date: Sun, 20 Jul 2014 14:40:11 GMT
  Server: Apache/2.2.26 (Unix) PHP/5.4.24 mod_ssl/2.2.26 OpenSSL/0.9.8y DAV/2
  Location: http://foo.example.com/
  Cache-Control: max-age=1209600
  Expires: Sun, 03 Aug 2014 14:40:11 GMT
  Connection: close
  Content-Type: text/html; charset=iso-8859-1
  Connection closed by foreign host.
  $
  That won't get fixed without replacing Apache et al or one of the other options, as described in my earlier reply.
  For completeness, some folks will manually configure the server to not return these details.  That'll derail the the vulnerability scanner, certainly.  It might not have the intended result, too, as the remote attackers can simply decide to throw every attack they have at your server — the attackers are not short on CPU cycles and network bandwidth, after all; unintended consequences.
  As for using a self-signed cert and given you probably aren't providing file-level access to other folks, I'd not (personally) be particularly concerned about that vulnerability scan — one of the limitations with using vulnerability scanners is that you then have to go off and figure out if you're actually vulnerable to whatever the scanner is reporting.  It's an issue certainly, but then you'll have to decide if your backups are complete and current and with copies kept off-site, and if your other security practices and password policies and such are also all up to date and secure, and at what else you might risk if the server is breached — if configuring a DMZ for your server might be appropriate, for instance, to isolate the server from the rest of your network should the server be breached.

• Security Issues with workbook

  Hello All,
  When I log into discoverer with some responsiblity "a" i am able to see the output of the particular workbook.
  But when the same work book ran by other user with differnet responsbility "b" and with with same parameters , he is geting the message as "'The query caused no data to be returned" .
  There seems to be some security issues. Can any one kindly explain the process why the user is not able to view the output. In order to overcome this what are the actions i need to do.
  Thanks for your support.
  Best Regards,
  Kumar.

  Hi,
  I assume that you are using Oracle Applications and that the user is connecting with a different apps responsibility.
  In Discoverer, security can be applied at 4 levels; in the workbook, in the EUL, in views and using VPD. Application 11i security is mostly applied through views.
  Now, the security applied depends on the Apps module. GL, AP/AR, PO and FA all have different mechanisms for applying security. Mostly the security applied will be determined by security profiles set up for the responsibilities. But for example, GL, also uses row based (procedural) security based on the flexfield security rules in some of the GL views. If you are using a custom responsibility you will need to ensure that all the security profiles are set up for this responsibility.
  So your first step is to look at what view(s) are used in the report. Then determine which security profiles are checked by this view. So if it is a GL view you need to check the 'GL Set of Books Name' profile is defined for that responsibility.
  Without knowing which modules you are using, which version of Oracle Applications or whether you have custom or seeded responsibilities it is difficult to know why your report does not return data for the responsibility.
  Rod West

• How To Security Report Security Vulnurability On S...

  So for the past 2 hours I've been trying to report a security issue regarding Skype.
  Can someone please provide me with a direct phone number or email to the relevent security department to file the report to and request a claim of any Microsoft bounty applicable.
  Over the past 2 hours I've had Skype Chat Support give me a Microsoft phone number who sent me about from department to department, fobbed me off, and nigh-on insulted me, all the while unable to comprehend that the issue wasn't with my account but with a Microsoft product, who eventually then told me to use Skype Chat Support who then told me for some absurd reason told me to contact Microsoft advertising department or to post all of the information here.
  As you can understand this is really starting to get my goat so I was wondering if anyone had any direct/security way of reporting this by phone or email.
  Thanks in advance.
  Solved!
  Go to Solution.

  Hi, ScottBull, and welcome to the Community,
  Skype does not host a telephone call-in facility, and nor does Skype use a general e-mail address.  I have flagged your report for review by those to whom I report, as Skype Customer Service ought to have reported your findings to the correct authority within Skype. 
  I am not familiar with any bounty or payments offered for these types of reports.
  Regards,
  Elaine
  Was your question answered? Please click on the Accept as a Solution link so everyone can quickly find what works! Like a post or want to say, "Thank You" - ?? Click on the Kudos button!
  Trustworthy information: Brian Krebs: 3 Basic Rules for Online Safety and Consumer Reports: Guide to Internet Security Online Safety Tip: Change your passwords often!

• EnterpriseOne Report security

  Hi, I am very new to E1. I have just promoted report from PY to PD. Our users still can not see the report. They want to see the report under Purchasing Reports .
  Can someone please guide how can I do this after promoting to PD. I am also trying to read manuals and trying to find out. Looks like this is report security and menu issue but don't know where to control this. Any urgent help is really appreciated.
  Thanks
  Muhammad

  Hi,
  The short answer is no, you need to split the workbook into multiple workbooks and then share.
  However, you should aim to secure you reports at all 3 levels:
  1. Data security - Users are prevented from seeing rows that they should not access using mandatory conditions in the EUL, VPD or views.
  2. Business Areas - Users should only be able to access to the BA that they can report from
  3. Workbooks - Workbooks should only be shared with users who are allowed to see the data in the workbook.
  The workbook security should only prevent the user from running the workbook not be used to secure your data. If the workbook was shared with the wrong user they should always get no rows when the workbook is run.
  Rod West

• SSRS (Security) issues in Firefox and Chrome

  in both browsers the layout is a mess to start with.
  Biggest problem in both cases is: The detailView button is vissible even if your not admin.
  So when ppl click this they are able to see/modify datacources and see hidden directories and stuff. I havent checked if they can really change stuff but it seems to me that its not what we want. If you are not admin you shouldnt see the DetailView button
  at all.
  1 other thing that doesnt work in Chrome. The report itself. you can fill in parameters but the report itself wont show up. but thats a minor problem.
  the security issue with the DetailView option available for everyone would be a major problem id say

  Which version of Reporting Services are you running?
  Check this article on MSDN about browser compatibility of SSRS: Planning for Reporting Services and Power View Browser Support
  SSRS works best on Internet Explorer. If you use other browsers, something may not be displayed correctly.

• Flash Player "known security issue"

  Trying to install update for Adobe Flash Player 15.0.0 on iMac OS X Yosemite 10.10.1 Safari Browser. Get Message "The version of "Adobe Flash Player" on your computer has known critical security issues. Only websites set to "Always Allow" are allowed to run this plug-in. To protect your system, use of this plug-in is now blocked for all other websites." I have retried download several times, but am blocked each time by the same above result.
  Please Help!
  Fritz

  Hi,
  You might want to add this as a bug over at bugbase.adobe.com.  I gave it a try on my Win 7 x64 system but wasn't able to reproduce the problem (see video link below.)  In addition to the bug report, I'd also recommend reposting over on the Flash Professional forums?  This forum is primarily for end users, the Pro forums will get you in touch with a wider developer audience.
  http://youtu.be/lWDUxrxBmoQ?hd=1
  Thanks,
  Chris