It’s been just over a year since we launched the Onapsis Security Platform (OSP) for Oracle E-Business Suite (EBS). At the Onapsis Research Labs, just as we’ve done for SAP, we continue to investigate new modules for the product.
In this blog, we will focus on a module that can restrict the type and size of files that can be uploaded to EBS. Why does this matter? We must bear in mind that the enduser is the one who uploads files to the database, and may not be concerned with the security of the system, so it is our duty to restrict this as much as possible.
All the files uploaded to EBS end up in the FND_LOB, one of the heaviest and most complex EBS database tables to maintain. Performance becomes an issue if files are allowed to be uploaded without restriction.
Let’s look at how to restrict the uploading of certain files types in EBS. This validation is composed of two profiles:
The first profile “Attachment File Upload Restriction Default”, when enabled, will by default restrict using a blacklist of the file extensions that Windows considers "executable," such as .COM, .EXE, .BA, .CMD, .VBS, .VBE, .JS, .JSE, .WSF, .WSH and .MSC. This can be changed into a whitelist of allowed file extensions to only allow those you actually use. So, with this profile we can control file types that have not been explicitly allowed or disallowed in the FILE_MIME_TYPES.
Possible values for this field are Yes or No. If it is set to Yes, a file type can be uploaded from the front-end even if it has not been explicitly allowed or disallowed in FILE_MIME_TYPES. Setting this value to No will prevent the user from uploading any file type that has not been explicitly allowed in FILE_MIME_TYPES.
When a user is prevented from uploading a file, they will see this message on the screen:
The second profile “Upload File Size Limit” indicates the size limit of the file. This is important because a very large file could take down services of the application server.
As you consider the attachments you will allow, you must also check the settings for the allowed size limit of an uploaded attachment - the profile option UPLOAD_FILE_SIZE_LIMIT (kb). If the profile is null, it will allow unlimited attachment size. The risk here is the opportunity for an attacker to perform a Denial of Service.
When the profile is configured correctly, it shows the following warning to the user:
The following are the types of files recommended to restrict with the default profile options:
If you do not correctly restrict the files that a user can upload, any dangerous file, such as a Ubuntu pkg, could be uploaded, whether maliciously or not.
Here is a simple query to check the content in table FND_LOBS:
select file_id, file_name, upload_date
order by upload_date desc;
To see the size of our FND_LOBS table:
select round(sum(bytes)/1024/1024) Mb from dba_segments where segment_name='FND_LOBS';
A necessary concurrent when we need to purge this table is:
“Purge Obsolete Generic File Manager Data.”
There are two simple profiles that are available from the January 2012 Oracle CPU, which are important because if someone configures them incorrectly, they can not only cause the application server to go down, but allow the upload of malicious files to the database. So, go back and read this CPU if you haven’t already addressed it, it's always good to validate.
- Security Configuration Mechanism in the Attachments Feature in Oracle E-Business Suite (Doc ID 1357849.1)
- How to Limit The Attachment File Size? (Doc ID 604458.1)
- Is There A File Size Limit For EBS Attachments (Doc ID 739643.1)
We will continue to share more more information about Oracle E-Business Suite Security and modules included in the Onapsis Security Platform. Learn more about OSP for EBS, stay tuned to our blog and request a demo today!