GeeKs Blogging @ dotCOM » Security

Siebel : Security Vulnerability !

Nitin Jain — Sun, 07 Mar 2010 20:17:46 +0000

This post could have far-reaching implications. I am still at crossroads whether I should be covering this or not..

The baseline is that there has been a Security Vulnerability detected, and announced. It is said to have been detected nearly a year ago, and informed to the Parent Organization. However, despite a year passing by, we are not aware of any remedial action having been taken by the Corporation. Since the vulnerability has already been publicly announced over the internet, we feel it’s safe to cover it here as well. We feel morally responsible to apprise Oracle Corp of the issue by building sufficient public opinion to patch it..

This Security Vulnerability has been detected in some of the older versions of Oracle’s very popular Siebel CRM Softwa=re, aka versions 7.7 and 7.8. It has not been tested on the older versions, but, expectedly it would appear there as well.

This Security Loophole has been detected by “Yaniv Miron”, a Security Researcher from Israel. Click here to reach his LinkedIn profile directly.

The vulnerability comes by the name of, “Oracle Siebel CRM ‘start.swe’ Cross Site Scripting Vulnerability”.

It is rated “Low Risk”, and is Remotely Exploitable.

The following is directly from VUPEN :
” ..This vulnerability could be exploited by attackers to execute arbitrary scripting code. This issue is caused by an input validation error in the “htim_enu/start.swe” script when processing user-supplied data, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user’s browser in the security context of an affected site.. “

SECUNIA says..
” ..Input passed via the URL to htim_enu/start.swe is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.. “

A simple example could be:

http://example.com/htim_enu/start.swe/?>'">

Jan 2009 – Vulnerability found
Jan 2009 – Vendor Notification
Feb 2010 – Public Disclosure

Complete details about the vulnerability can be found at the following URLs where it was first reported:

http://www.vupen.com/english/advisories/2010/0516

http://seclists.org/bugtraq/2010/Mar/6

The original Advisories may be downloaded from the links below:
Siebel Loyalty Advisory
Siebel CRM Advisory

The vulnerability is already popular over Twitter.. try the link below..
Twitter Links for Siebel Advisory

Could there be better reasons to Upgrade to the latest Siebel versions, 8.x ?
Considering Siebel CRM is an expensive product targetted only at the companies with $250K+ revenues, this is all the more important.

Note: This post is for informational purposes only.
The author of this document is not and will not hold any responsibility for any illegal or unauthorized use of the information contained within this document, or that is implied from it.
The author of this document does not encourage in any way whatsoever, attacking any Siebel based System.

Related posts:

Siebel – SIS OM PMT Service There are lots of vanilla business services available in Siebel...

Siebel – Forcing User Logoff Hi all, Somebody recently asked me if there is a...

Siebel – LookUpName() and LookUpValue() Hi all, I was working for a multi lingual implementation...

Siebel – HTML Code displayed in Error Message There was a requirement in our project to make Account...

Siebel – Upgrade Process – Part I If you have reached here, I assume you have already...

Siebel – Remove About SRF Window

Nitin Jain — Wed, 20 May 2009 05:35:49 +0000

In my previous post, I had discussed as to how we can control how we can control the data being displayed in the Siebel Client, About SRF window. You can read the article here.

One impromptu question came up from the audience, “What if I want to limit opening of the About SRF window itself in the first place?”. I said, “Nice question!”.

Try out the following steps to disable the About SRF window itself from Siebel Web Client.

Log into Siebel Tools.
Navigate to ‘Application’ in the Object Explorer. In may case, “Siebel Automotive”.
Notice that the Menu property corresponding to this Application reads, “Generic WEB”.
Navigate to ‘Menu’ in the Object Explorer in Siebel Tools.
In the ‘Menu Item’ below the ‘Menu’ in OE, search for the record name as “Help – About SRF”, or the Caption as “About SRF…”.
Set the corresponding property, ‘Inactive’ to TRUE.
Compile into Siebel SRF and Go!

You should no longer see the ‘About SRF’ option in the ‘Help’ menu.

Just as I said with my previous post on hiding data from the About SRF Applet, you can play around with similar other entities as well. Let me know if this helped you. Cheers!

Related posts:
Siebel – About SRF Window – Remove data Okay. This is something those who like to toy with...

Siebel- Close Browser window when logging off In case of standard interactivity applications like eSales , eService,...

Siebel – Popup Update Only Hi all, I was working with Siebel Multi Valued Links...

Siebel – changing Textbox height There are a number of HTML controls available in Siebel....

Siebel – Run Case Insensitive queries This is a nice tip I ran across. All the...

Siebel – About SRF Window – Remove data

Nitin Jain — Tue, 19 May 2009 06:07:58 +0000

Okay. This is something those who like to toy with Siebel may find interesting. I will discuss today, how we can play with the Siebel ‘About SRF’ window when you go Help -> About SRF in Siebel Client Application.

I guess almost all the Siebel users would have seen or used the Siebel ‘About SRF’ window to know about the latest SRF that has been compiled, or other technical information for the application that they just logged into.

However, for a lot of reasons you may want to disable this Siebel feature:
1) Security Reasons
2) Making data available on a Need to Know basis
3) Making available custom information than that in the About SRF window. Or,
4) Just for plain fun!

Either way, a nice to know feature in Siebel.

Remove some data from the About SRF Window

In Siebel Tools, navigate to ‘Applets’ in the Siebel Object Explorer.
Search for the ‘About SRF Applet’ in the List of available applets.
In the ‘Controls’ section below the ‘Applets’ in the Object Explorer tree, select the controls that you no longer want to show on the ‘About SRF Applet’. There would also be corresponding Labels visible as different controls.
Set the property, ‘Inactive’ to TRUE for all these controls and corresponding Label controls.
Compile and go. Tell me what you see!

This concept can also be used to show some customized data onto the Siebel ‘About SRF Applet’ as the requirement may be. Just remember to add the proper controls in the Edit Web Layout section of the Applet.

I am sure that the smartest of the lot will find many more similar applications, related to this implementation. Once you are done playing with this one, drop me a comment telling me how all did you play with this Applet.

Related posts:
Siebel – Remove About SRF Window In my previous post, I had discussed as to how...

Siebel- Close Browser window when logging off In case of standard interactivity applications like eSales , eService,...

Siebel – Autosave Opportunity data – The concept Requirement: System should have capability to automatically save opportunity(RFPs) data...

Siebel – Autosave Opportunity data – Sample Code This is a follow up post on my previous post,...

Siebel – Reading data directly from Siebel SRF SRF or the Siebel Repository File as it is more...