Understanding the Security Risks of File Upload Tables

Previous
Previous
Next
Next

Oracle Application Express enables you to easily build an application which enables users to upload files and access uploaded files. These files are uploaded into a common file storage table. Although the database view HTMLDB_APPLICATION_FILES will only show those files associated with your database account (or workspace), authentication is not required to access any of the files stored in the underlying table, including those outside of your database account (or workspace) and owned by other users. Using the various APIs in Oracle Application Express, a user can specify the numeric ID associated with a file in this common file storage table and access it without requiring authentication. Files stored in this table are accessible by anyone.

To implement an Oracle Application Express application which supports file upload, but does not expose this security vulnerability, please refer to the Oracle Application Express How To Documents for file upload on OTN at:

http://www.oracle.com/technology/products/database/htmldb/howtos/index.html

See Also:

"Creating a Page-Level Item" and "About Item Types" to learn more about creating a File Browse page-level item