While Creating journals in Oracle fusion Saas it is allowing .PHP file which is an executable file
Summary:
While Creating journals in Oracle fusion Saas it is allowing. PHP file which is an executable file
Observation:
During testing, it was observed that the tester was able to circumvent client-side filtering and upload files other than the allowed extensions into the web application.
The application allowed files with the extension “.pdf”, ".png", ".jpg".jpeg",".tif",".tiff", etc as well as “.php” extension.
Expected is
It is recommended to:
• To Apply extension filtering to all upload functions in the entire application.
• Only permit extensions from the predetermined allowed list.
• Perform file type detection and reject any files that do not have the correct format of an expected file.