I received an email from Dirk Nachbar to let me know that he has released a new paper concerning a security hole in the application server control. If you want to trace Forms Sessions out of the Application Server Control Web Front end you have to provide a Hostuser name and his password (normally the Oracle Software Installation user: oracle). This Information, the Username and Password will be displayed in the URL and stored in clear text in a logfile. Dirk also provides a workaround for the bug how to avoid this behaviour. At the moment the WhitePaper is only available in German, but will be available soon in English. The paper is titled "Forms tracing im Application Server Control Eine Sicherheitslucke?