WebApp Sec mailing list archives
Oracle Developer and Forms security issues
From: Matías Bevilacqua <matias () escert upc es>
Date: Thu, 20 Feb 2003 21:50:06 +0100
Hi list, I'm involved in a project which will use Oracle Forms in a web environment and would like to hear some feedback from the list. This technology is rather new (you don't see this stuff much out there) and thus I'm concerned with security issues which may arise. I have basically the following questions: 1) Is the usual 3 tier topology valid with this technology? I'm not sure since we have to poke a hole on our two firewalls to let Forms Client connect to the application sever directly... Not something nice. Should we move the application server to our DMZ? 2) Any feedback on Oracle Forms security on a web deployment instead of the traditional client/server setup? 3) What is the protocol used by the Forms client to connect to the Forms Listener? It says it's compatible with HTTP but it also states it uses a in-house protocol to reduce traffic and encrypts with HTTPS... Http "obfuscation" of some type? Will IDSs do something here assumng we can decrypt data? Anyone feedback will be appreciated! Thank you in advance. Matías Bevilacqua Trabado ___________________________________________________________________ PGP-ID: 0x3FFD6E18 PGP Fingerprint: 9FA3 06A1 3CAE 5996 1716 D9DF 3CE7 E88D 3FFD 6E18 ___________________________________________________________________ "This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden."
Current thread:
- Oracle Developer and Forms security issues Matías Bevilacqua (Feb 20)