| Oracle® Retail Merchandising Security Guide Release 14.1.1 E61235-01 |
|
 Previous |
This chapter covers the possible Simple Mail Transfer Protocol (SMTP) injections that may occur and possible workaround, though the customer is at liberty to implement any other measures based on industry best practices.
Active Retail Intelligence (ARI) provides no special security features or safeguards. Addressing any site-specific security issues involving ARI is the customer's responsibility. Security settings in other applications with which ARI interacts will not be overridden or circumvented by ARI. Whereas this is generally desirable, it is a consideration when determining to whom ARI alerts should be routed. Sending an alert to a user who does not have the privileges to take the actions necessary to resolve the event may prove frustrating and counter-productive. Users should be educated about this issue so that they can avoid forward events that have actions with limited access as well.
At a data level, ARI detection is necessarily done with full access privileges to all data. Individual users with data level security may see different values for some parameters (in particular those involving sums) than the values seen by ARI. This may cause adverse effects such as a user looking at an event automatically causing it to close because the user's limited data access causes the event to see values that make ARI think the exception is no longer an issue when in fact it still is. For this reason Oracle urges extreme caution when designing ARI processes that involve users with limited data access. The consequences of missing alerts can be great in an exception driven enterprise, so extra care is needed in the technical analysis of how such ARI processes will behave.
An attacker exploits the weakness in input validation on Internet Message Access Protocol (IMAP)/Simple Mail Transfer Protocol (SMTP) servers to execute commands on the server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the Web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the Web-mail server. If the Web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the Web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.
It is the customer's responsibility to sanitize the requests and ensure that the e-mail address is validated.
Following is one way to hack the e-mail alert sent by ARI:
Having message body containing a line with a single dot '.' in it. This signifies the end of the current message. This enables the hacker to specify another message, including a set of SMTP headers and message body. To be secure, in places where just a single dot on an empty line is found, the single dot is removed. Hence, even if the message body contains a single dot, the email would not be hacked.
