The following Oracle Reports rwservlet servlet urls should be available only from the server(s) that host the report server.
- /reports/rwservlet/showenv
- /reports/rwservlet/showmap
- /reports/rwservlet/showjobs
- /reports/rwservlet/getjobid7?server=myrep
To secure the above urls, the following Location directives should be inserted in apache configuration file reports_ohs.conf.
########### Apache configuration to block Oracle Reports rwservlet ###########
# New Locations:
<Location /reports/rwservlet/[sS][hH][oO][wW][mM][aA][pP]*>
Order deny,allow
Deny from all
Allow from localhost
</Location>
<Location /reports/rwservlet/[gG][eE][tT][sS][eE][rR][vV][eE][rR][iI][nN][fF][oO]*>
Order deny,allow
Deny from all
Allow from localhost
</Location>
<Location /reports/rwservlet/[sS][hH][oO][wW][jJ][oO][bB][sS]*>
Order deny,allow
Deny from all
Allow from localhost
</Location>
<Location /reports/[rR][wW][sS][eE][rR][vV][lL][eE][tT][sS][hH][oO][wW][jJ][oO][bB][sS]*>
Order deny,allow
Deny from all
Allow from localhost
</Location>
<Location /reports/rwservlet/[sS][hH][oO][wW][mM][yY][jJ][oO][bB][sS]*>
Order deny,allow
Deny from all
Allow from localhost
</Location>
<Location /reports/[rR][wW][sS][eE][rR][vV][lL][eE][tT][sS][hH][oO][wW][mM][yY][jJ][oO][bB][sS]*>
Order deny,allow
Deny from all
Allow from localhost
</Location>
<Location /reports/rwservlet/[sS][hH][oO][wW][eE][nN][vV]*>
Order deny,allow
Deny from all
Allow from localhost
</Location>
<Location /reports/rwservlet/[hH][eE][lL][pP]*>
Order deny,allow
Deny from all
Allow from localhost
</Location>
<Location /reports/[rR][wW][sS][eE][rR][vV][lL][eE][tT][hH][eE][lL][pP]*>
Order deny,allow
Deny from all
Allow from localhost
</Location>
###################################
