Security issue with content areas
Hi Everyone,
I was wondering if anyone else has experienced this. If you have, is there a work around? It seems like some of content area security is cached in the database. This is what happened in my two test cases.
Test case 1:
- First I created several content areas with subfolders by using the wwwsbr_api.
- I granted access to just to the content area, and not the subfolders. I did this because when I looked at the content areas created above, the Add Privileges To All Sub-folders was marked.
- Then when I login as the test user I was able to see the content area, but none of the subfolders. That didn?t surprise me because I was guessing that the radio button to add privileges to the subfolder was only used when the user pressed the Cascade Privileges button.
- I granted access to the all subfolders on the content areas the test user should be able to access.
- Then I login again with the test you. I move into the content area that I viewed the first time, and I still can?t see the subfolders. But I could see all the subfolders of the other content areas the test user had access to.
- I logged in to make sure the group was added to access the subfolders of the content area. The group did have access to the content area and all the subfolders, but the user still could not see the subfolders.
- The only way the test user was finally able to see the subfolders was for me to go to the content area and pressed the Cascade Privileges with Add Privileges To All Sub-folders marked.
So it seems like for some reason Oracle is storing the security, and not updating it when it is updated via API for content areas.
Test case 2:
- First I created several content areas with subfolders by using the wwwsbr_api.
- I granted access to just to the content area, and not the subfolders.
- Then when I login as the test user I was able to see the content area, but none of the subfolders.
- I alter the test user and give him the privilege to view all content areas.
- I login again as the test user, and I go to the content area I looked at the first time I logged in, but still couldn?t see any of the subfolders in it. I went to two other content areas, and was able to see all the subfolders.
- I alter the test user again removing the privilege to view all content areas.
- I login again as the test user and look at the second and third content area again. I still could see all the subfolders even though the user does not have access to them.
I have tried clearing cache, history, deleting all temporary files and restarting my computer to make sure that it was not caching issue in the browser.
Thanks,
Tom
Hello Simon,
do you have access to SAP notes? Here you will find the detailed information when the problem will be solved:
[Note 1178438|https://service.sap.com/sap/support/notes/1178438]
Regards, Christiane
Similar Messages
-
Are there any security issues with Quicktime player on macbook
Are there any security issues with Quick Time Player on macbook pro? 2010 model running Yosemite recently upgraded. Thanks!
No.
-
HT201178 Are there security issues with pairing keyboards with certain passkeys?
Are there security issues with pairing keyboards with certain passkeys?
Hello, some info on that...
http://x704.net/bbs/viewtopic.php?f=29&t=6059&p=73599&hilit=bluetooth#p73599 -
Teachers in our district are supposed to use www.thinkcentral.com with FireFox.
Some have no problem accessing the lesson plans.
Most when they login click on a lesson plan and an icon shows up that says loading but never does.
If you reboot the computer and login you can open a page once but not a second time and no other lessons will open.
Think Central support says this is a security issue with Firefox.
I have updated FireFox, all the Adobe, Reader, Flash, Air and Shockwave. As well as Java.
I have allowed the pop ups to the think Central web site.
Any help would be appreciatedAre there any notification icons on the left end of the address bar? If so, please click them to see whether they related to security issues (such as blocked content - shield icon: [[How does content that isn't secure affect my safety?]]) or a plugin requiring permission (Lego-like icon).
Does Think Central have any help pages about this issue? Without an account, it is difficult to explore the issue first-hand. -
Severe Security Issue with Sharing Permissions and Windows
I recently discovered a severe Security issue with the windows sharing an permission settings:
I have two users, an admin user and a parental controlled user. On my mac mini, i have a external harddrive connected. On the harddrive, i have three folders, Itunes, Iphoto (Package) and a Temp Folder. I want to share the Harddrive RW for the admin, but only R for the parental user. But the Temp folder should be accessible for RW for the parental as well.
1. I set the Drive checkbox "ignore ownership" off.
2. I set the permissions of the drive to admin RW, parental R and Everyone to "no access"
3. I apply to enclosed Items
4. I set the permission of the Temp folder to admin RW, parental RW and Everyone to "no access"
5. I apply to enclosed Items
6. I go to "File Sharing" in the Preferences and activate SMB sharing for both users
7. I delete all previous shares
8. I add the Disk and use the proposed permissions which are admin RW, parental R, Everyone "no access"
9. I add the Temp folder and use the proposed permissions which are admin RW, parental RW, Everyone "no access" - Funny, there is a new Group called "Temp" created which has custom access on both sharepoints
10. I connect to the mac over a Windows machine (NTLM auth set appropriatly). Now I try to create a folder on the root of the Disk share, I get a denied message.
BUT WHEN I GO INTO A SUBFOLDER (eg. ITUNES or IPHOTO), WHICH HAS ALSO JUST "R" PERMISSION FOR THE PARENTAL USER, I AM ABLE TO RW, DELETE AND DO EVERYTHING!!!
TO RECAPITULATE: THE SHARING PERMISSIONS ARE "R", AND THE FILE PERMISSIONS IN THE RESPECTIVE FOLDERS FOR THE RESPECTIVE USER ARE ALSO JUST "R". BUT THE USER CAN DO EVERYTHING IN THE SUBFOLDERS!!!I recently discovered a severe Security issue with the windows sharing an permission settings:
I have two users, an admin user and a parental controlled user. On my mac mini, i have a external harddrive connected. On the harddrive, i have three folders, Itunes, Iphoto (Package) and a Temp Folder. I want to share the Harddrive RW for the admin, but only R for the parental user. But the Temp folder should be accessible for RW for the parental as well.
1. I set the Drive checkbox "ignore ownership" off.
2. I set the permissions of the drive to admin RW, parental R and Everyone to "no access"
3. I apply to enclosed Items
4. I set the permission of the Temp folder to admin RW, parental RW and Everyone to "no access"
5. I apply to enclosed Items
6. I go to "File Sharing" in the Preferences and activate SMB sharing for both users
7. I delete all previous shares
8. I add the Disk and use the proposed permissions which are admin RW, parental R, Everyone "no access"
9. I add the Temp folder and use the proposed permissions which are admin RW, parental RW, Everyone "no access" - Funny, there is a new Group called "Temp" created which has custom access on both sharepoints
10. I connect to the mac over a Windows machine (NTLM auth set appropriatly). Now I try to create a folder on the root of the Disk share, I get a denied message.
BUT WHEN I GO INTO A SUBFOLDER (eg. ITUNES or IPHOTO), WHICH HAS ALSO JUST "R" PERMISSION FOR THE PARENTAL USER, I AM ABLE TO RW, DELETE AND DO EVERYTHING!!!
TO RECAPITULATE: THE SHARING PERMISSIONS ARE "R", AND THE FILE PERMISSIONS IN THE RESPECTIVE FOLDERS FOR THE RESPECTIVE USER ARE ALSO JUST "R". BUT THE USER CAN DO EVERYTHING IN THE SUBFOLDERS!!! -
Security issues with connecting pdf to database
I have a pdf form that is being called from a webform as part
of a web application. The PDF has two dropdown lists that I was
populating from a SQL Server Database. I had created a special user
that had select access only to the tables for the dropdowns.
My question is are there any known security issues with
regard to allowing a pdf to connect to a database this way. The PDF
is being called from a secure connection but I don't know if
opening this database connection to populate these dropdowns
exposes a security hole of any sort. If it does, do you have a
solution to make this secure? I am asking because another developer
on the project brought up the issue of this design creating a
security risk and I haven't been able to find anything online
discussing it either way.
Thanks!
MaureenHello Maureen,
Thanks for posting, but I'm not sure I see if your question
relates to Acrobat.com
Are you using any of the Acrobat.com Services as any part of
your workflow?
Thanks!
Pete -
Security Issues with 8.1 Pro
I have had several security issues with Windows 8.1 Pro.
I am curious if the following apps should be loaded by default:
CheckPoint.VPN
JuniperNetworks.JunosPulseVpn
SonicWALL.MobileConnect
F.vpn.client
These programs are installed on a fresh install of Windows 8.1 Pro but I do not think they should be. They are present prior to the install of any 3rd party programs or apps.
ThanksI found them in my firewall list on my Windows 8.1 Pro installation and posted a question on a forum as well, though I don't think it was here. I don't believe anyone ever answered.
It looks as though these are parts of the bundled virtual private networking clients.
Note, for example, the "distributed by Microsoft as part of Windows 8.1" wording on this page:
http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=PG&id=605
-Noel
Detailed how-to in my eBooks:
Configure The Windows 7 "To Work" Options
Configure The Windows 8 "To Work" Options -
Privacy/Security Issue with Adobe Flash 10
Not sure if anyone has noticed this or not, but there is a
bizarre (if minor) privacy/security issue with Adobe Flash Player
10. I came across it while attempting to upload a file to Flickr.
Previous versions of AFP do not exhibit this problem.
Specifics: using Firefox 3.x, Vista.
The problem: When Flickr calls the "open file" dialogue in
Flash 10 (in order to upload files) via the "Upload Photos and
Videos" link, at the bottom of the dialogue, to the right of the
"File Name" box, sits a common UI element that brings up a dropdown
menu of what appear to be (or at least are supposed to be) recently
viewed or downloaded or accessed files. Actually I'm not sure how
Flash 10 compiles or accesses this list of files, but at any rate,
a list of files come up.
The problem is that, as far as I can tell, the list of files
that come up reference a long list of files, some that are very old
and that no longer exist, and that there is no way that I can find
to clear the list. This is a minor security/privacy issue, as
generally there should be a way to prevent a dialogue from
displaying a long list of past-accessed files by clearing a cache
somewhere or other -- imagine if it was impossible to clear the
history of a web browser, for example -- this would be considered a
pretty significant privacy issue. I have tried everything from
flushing the browser cache to uninstalling and reinstalling the
browser to uninstalling and reinstalling Adobe Flash to using the
Flash Settings Manager to clear out the Flash saved sites to
turning off Vista indexing to clearing out Vista's Recent Items
list. None of these actions did anything to clear out this list of
files. I can find no references to these files anywhere when I use
Vista Search (with unindexed and system files searched as well),
and I can find no reference to the files anywhere in the registry
(I checked just in case Flash 10 was storing this index in some
really bizarre place.) I've linked to a screenshot below of what
I'm talking about -- most of the files listed below were deleted a
long, long time ago, and so I have no idea why this dialogue refers
to them.
Screenshot
Is there a simple work-around for this that I'm unaware of?
Even if there is, there needs to be some more obvious way to clear
out this list. Where is this information being stored, and what
criteria does this list use to "put a file on the list"?Thanks for putting me on the right scent. That's what I'd
originally thought, too -- it's just that the file-> open dialog
was giving an entirely different list of files with other
applications, so I assumed that it must be Flash that was the
culprit. Turns out the reason it was different with Flickr was
because it was restricting the file results via a long string of
video and picture filetypes that are compatible with the Flickr
service.
It turns out the information I'm looking for is buried deep
within the registry. The only way to clear out this list of files
is to delete the following key (or specific subkeys):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidl MRU
Seems more than a little stupid to store such information in
the registry if security is your concern. Vista beguiles me
sometimes. -
Security issue with unlocking my iPhone 4?
I'm not sure if anyone here will be able to help me but I am trying to get my iPhone unlocked with AT&T. I bought my iPhone on contract through AT&T in December 2010. My account is in good standing. I paid my ETF, it's technically eligible to be unlocked. I called AT&T on April 9th for an unlock and it's now April 19th and still no wordd from them. I've called several times and they won't tell me what's going on other than that "there is a security issue with unlocking my iPhone and the issue is with Apple, but they are working on it." From my understanding, all AT&T needs is the unlock code to enter into the system and unlock it from there. I don't know what security issues could possibly exist that would create a problem. The only thing I can think of is that when I orginally bought my iPhone it turned out to be a lemon and had to get it replaced the day after I bought it. I did this through an Apple store since it was around Christmas. The IMEI number on my phone doesn't match the one AT&T has on file, but that shouldn't matter? I gave them the right IMEI number that is on my current phone. Does anyone know what "security issues" can exist when it comes to unlocking an iPhone 4?
Don't stress over the words used by the customer service people at AT&T. Half of them don't know what they're talking about more than half the time. You are probably correct in that it has something to do with their database being inaccurate.
Give it a few days, then contact them again and ask for it to be escalated.
Ignor rNair. The idea that Apple made it mandatory for AT&T to do anything is complete and total bunk. (S)He has no idea what (s)he's talking about -
Any security issues with My MSN or outlook bookmarks
any security issues with My Msn and Outlook as bookmarks
Your question is not quite clear, and no Mac can iOS, but anything and everything made by or for Microsoft carries a security risk.
Which is why most sensible people run Apple OS X. -
Anyone know what the real deal is with OS X Lion security. I've heard lots of things about how the recent Blackhat conference in Las Vegas said that Apple's security was not as good as Windows 7's. Anyone know anything about this? Thanks in advance for any feedback or input.
JB2909 wrote:
I've downloaded Java for OS X Lion 2012-001 to fix the security issues with Java but when I open it to install it gives me an error message saying don't open it as it has a disk image issue (?) and may make my computer less secure or cause other issues? I don't understand why it would cause security risks when it is supposed to be a patch to fix them?! Is it safe to go ahead and open/install?
Could that be why Apple has released Java for OS X Lion 2012-002 here: http://support.apple.com/kb/DL1515 ? -
Security issue with connecting to Microsoft Live
I currently use StudioCloud for my studio management software. However, I'm unable to use the email features of the software as they state "**Adobe Air has a security issue connecting to Windows Live and, as such, StudioCloud can not work with Windows Live/Hotmail at this time.**" (http://app1.studiocloud.com/support/index.php?/article/AA-00265/0).
Are there any plans on resolving this issue?
As a small business owner, I need to streamline my processes. If there is a possibilty of this being fixed in the near future, then I won't look at other options, but if it isn't, then I need to determine if I will be moving my email to another host, or using a different studio managment software, or finding a different method of handing my email communications with my clients which is efficient and meets my needs.
Thank you.
Catherine BowserReported via a live chat. I must say that the guy was very helpful and said he'd reported the issue together with the tracert data I had provided.
Afraid I lose the will when trying to speak to BT by phone! -
Hello All,
When I log into discoverer with some responsiblity "a" i am able to see the output of the particular workbook.
But when the same work book ran by other user with differnet responsbility "b" and with with same parameters , he is geting the message as "'The query caused no data to be returned" .
There seems to be some security issues. Can any one kindly explain the process why the user is not able to view the output. In order to overcome this what are the actions i need to do.
Thanks for your support.
Best Regards,
Kumar.Hi,
I assume that you are using Oracle Applications and that the user is connecting with a different apps responsibility.
In Discoverer, security can be applied at 4 levels; in the workbook, in the EUL, in views and using VPD. Application 11i security is mostly applied through views.
Now, the security applied depends on the Apps module. GL, AP/AR, PO and FA all have different mechanisms for applying security. Mostly the security applied will be determined by security profiles set up for the responsibilities. But for example, GL, also uses row based (procedural) security based on the flexfield security rules in some of the GL views. If you are using a custom responsibility you will need to ensure that all the security profiles are set up for this responsibility.
So your first step is to look at what view(s) are used in the report. Then determine which security profiles are checked by this view. So if it is a GL view you need to check the 'GL Set of Books Name' profile is defined for that responsibility.
Without knowing which modules you are using, which version of Oracle Applications or whether you have custom or seeded responsibilities it is difficult to know why your report does not return data for the responsibility.
Rod West -
Security issues with cached applets
Question: Can anyone tell me where there is a summary or discussion of security issues relating to applets cached by the Java Plug-in?
I'd like to use the Plug-in to cache applets on client boxes, but I'm wondering if that opens a security hole for hostile/attack applets. Most of the write-ups on applet security I've seen only deal with security on the client side. Does Sun or anyone else address "cached-applet security" as it relates to the server from which it was downloaded?The cached applets are treated as same as those downloaded from the net - permissions will be granted based on the original codebase - nothing more, nothing less.
-
I have a web server that has access to a database server as i am able to create web pages with ASP and connect to the database fine using a DSN, i have created a web page that contains an applet, the applet attempts to connect to the database but i get a security error, how do i overcome this security issue, the sucurity error looks like this:
Exception: java.security.AccessControlException: accessdenied(java.lang.RuntimePermission accessClassInPackage.sun.jdbc.odbc)
Can anyone help??There is a java.policy file in
C:\Program Files\JavaSoft\JRE\1.3.1\lib\security\java.policy
And a tool you can use in
C:\Program Files\JavaSoft\JRE\1.3.1\bin\policytool.exe
You might have to tell the policytool.exe where to open the java.policy file.
You can also just modify it in a text editor and save it as plain text when you are done.
I don't know which permission you should look for, but you can try with
grant {
permission java.security.AllPermission;
and remove or comment out the other lines. Make a backup of the policy file before you try it. Restart the browser.
Note that you have to do this on all client machines that wants to run your applet.
Maybe you are looking for
-
Hi, I recently bought the Lenovo B590 laptop, and I've had some trouble with the spacebar actions. When doing a search in an internet search engine, using the spacebar doesn't provide a space, but rather selects any search suggestion that may pop up.
-
Clearing downpayment with restriction A during invoicing
Dear experts, I want to clearing a downpayment (6000 / 0020) that has origin in a downpayment request (6000 / 0010) and at this momento it have a restriction 'A' (can be clear in the next invoicing). I already add the downpayment (6000 / 0020) in
-
Web service with complex java type
Hi, I create a web service method with String o with Array of Strings without problem. Now I nedd to create a ws that return a table, so I create a class like this: public class User { private String Name; private String.Surname; publi
-
Hi everyone, I'm new to Premiere (know the basic stuff) and to here so I hope this is ok... I'm trying to figure out how to do this praticular special effect, if it's possible. Basically, this is the concept - A video within a video (or a video withi
-
ITunes artwork does not appear in fan view
This is very irritating. I am using the touchsmart music app on my brand new IQ522UK to control my iTunes library. Everything is fine except there is no artwork shown in the fan view. All the artwork appears in the normal album view. Any ides?