Secure Configuration of Attachments

Posted on March 14th, 2013 by Sanjit Anand || Email This Post

This post is just a notes after a issue popup on attachments . Key profile options details is highlighted here.

1) File Upload Limits for Attachments

• Set Profile: Upload File Size Limit (UPLOAD_FILE_SIZE_LIMIT)
  • Limits the maximum Attachment file size that can be uploaded
  • Specified in KB (e.g. 2000KB)
• Allowing unlimited attachment sizes can allow for a Denial of Service attack (DOS)

2) Attachments file type extension validation

• Set Profile: Attachment File Upload Restriction Default
  • Yes (default): Black list behavior – Disallow types marked as ‘N’
  • No (recommended): White list behavior – Only allow types marked as ‘Y’
• Validate attachments file type extensions
  • New column – FND_MIME_TYPES. ALLOW_FILE_UPLOAD – values N & Y

This was Delivered as part of January 2012 CPU

3)Tag scanning of HTML Attachments

• Set Profile: FND: Disable Antisamy Filter
  • False (default / recommended) – sanitize HTML pages
• OWASP Antisamy – allows a specific (white list) of HTML elements and attributes
  • Error Message if uploaded HTML file was modified:

This was delivered as part of January 2012 CPU

Refernce :

• MOS Note 604458.1: How to Limit The Attachment File Size?
• MOS Note 1357849.1: Security Configuration Mechanism in Attachments
• MOS Note 1357849.1: Security Configuration Mechanism in Attachments

1. EBS Maximum Attachment Size
2. Security Profile Options in Managing a Secure Oracle Applications Environment
3. Auto Invoice – Parameter and Profile Options
4. Is ..”Oracle Applications Not Secure “?
5. R12 AOL : ‘Server-Responsibility Profile Hierarchy Type’