| Copyright © 2003, 2008, Oracle. All rights reserved. |  Previous |
 Next |
Home > Managing Application Security > Understanding the Security ...
Oracle Application Express enables you to easily build an application that enables users to upload files and access uploaded files. These files are uploaded into a common file storage table. Although the database view APEX_APPLICATION_FILES will only show those files associated with your database account (or workspace), authentication is not required to access any of the files stored in the underlying table, including those outside of your database account (or workspace) and owned by other users. Using the various APIs in Oracle Application Express, a user can specify the numeric ID associated with a file in this common file storage table and access it without requiring authentication. Files stored in this table are accessible by anyone.
To implement an Oracle Application Express application that supports file upload but does not expose this security vulnerability, see the Oracle Application Express How To Documents for file upload on OTN at:
http://www.oracle.com/technology/products/database/application_express/howtos/index.html
|
See Also: "Differences Between Page Items and Application Items" and "About Item Types" to learn more about creating a File Browse page-level item |