Friday, March 22, 2013

Security Lapses in OBI 10g / 11g - Part -1



Security risk involved in OBIEE 10g /11g  or Stealing Information using OBIEE

With Evaluate Function we can able to view all back-end DB info. To demonstrate this, we use SCOTT table. Below we have modeled SCOTT,  EMP and DEPT table. And from EMP table, the SAL & COMM is removed. 

 








After modelling without 'SAL' & 'COMM' column. I am now trying the following query in my Analysis:

 











I have selected Employee Name & Job. Now in my next report, i am selecting Job like : 
    
 Evaluate('%1',EMP.JOB)


And the report looks like : 
















Now I am adding another column which would fetch the salary info: 






Now the Result : 





As you can see, even though we didn't bring in SAL column to the RPD, I can able to view the values. Now comparing it with SQL Developer result: 



The Results are matching!!! The Query generated for the OBI Report: 


WITH 
SAWITH0 AS (select distinct replace(SAL||T10687.JOB , T10687.JOB , '') as c1,
     T10687.JOB as c2,
     T10687.JOB as c3,
     T10687.ENAME as c4
from 
     EMP T10687),
SAWITH1 AS (select D1.c1 as c1,
     D1.c2 as c2,
     D1.c3 as c3,
     D1.c4 as c4,
     D1.c5 as c5
from 
     (select 0 as c1,
               D1.c4 as c2,
               D1.c3 as c3,
               D1.c2 as c4,
               D1.c1 as c5,
               ROW_NUMBER() OVER (PARTITION BY D1.c3, D1.c4 ORDER BY D1.c3 ASC, D1.c4 ASC) as c6
          from 
               SAWITH0 D1
     ) D1
where  ( D1.c6 = 1 ) )
select D1.c1 as c1, D1.c2 as c2, D1.c3 as c3, D1.c4 as c4, D1.c5 as c5 from ( select distinct D1.c1 as c1,
     D1.c2 as c2,
     D1.c3 as c3,
     D1.c4 as c4,
     D1.c5 as c5
from 
     SAWITH1 D1
order by c1, c2, c3, c4, c5 ) D1 where rownum <= 40001

Overall, if we know the back end column its easy to
get the information evaluate function.







No comments:

Post a Comment