siebel

Remember this one? http://myserver/callcenter_enu/start.swe?SWECmd=ExecuteLogin& SWEUserName =NotSADMINPlease& SWEPassword =yourpasswordincleartext If you - for whatever reason - use URL-based authentication to load Siebel CRM application content in a browser or iframe then you should strongly consider reading Oracle Support Document 1496603.1 (Removing URL-Based Authentication in Siebel CRM). In this document, Oracle recommends their customers to refrain from using the obviously insecure authentication via clear-text URL arguments ( SWEUserName and SWEPassword ). As a transitional solution, customers can add the EnableURLCredentials parameter to the eapps.cfg file (and set it to TRUE ) to allow URL-based authentication. However, Oracle plans to remove any support for URL-based authentication (and the aforementioned parameter) "following the release of Innovation Pack 2013". So with IP 2014 around the corner, it's time to think about alternatives such as Single-...

Even when a Siebel implementation does not need to be SOX compliant, it is still important to develop and maintain processes to reduce errors and fraud. Separation of duties (SoD) is an important security principle in any enterprise application environment. For example, it is often best to prevent Siebel Developers from having administrative access, and to prevent Siebel Administrators from changing code. One potential vulnerability is that command-line server manager connections require a username and password that authenticate against the Siebel database. People with this information can use a third-party tool to access and manipulate the Siebel database. In a production environment, administrators need these passwords, but they should be restricted as much as possible, especially from developers. Scripts invoking the Siebel Server Manager command-line interface can be a powerful tool for automating server tasks, but connecting to the command-line interface on a Windows server r...