| VID |
21190 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
If a "ows-bin" directory is the default cgi, one used by Oracle Application server manager, then you need to remove the ows-bin virtual directory.
It's going to cause problems using a default like that after OSA(Oracle Application Server) is set up.
An "ows-bin" virtual directory in the Oracle Web Listener executes the same function as a cgi-bin on the normal web server, (and if the Oracle's installed to c:£Üornat). It will be placed at the C:£Üornat£Üows£Ü4.0£Übin.
This directory contains some batch files, DLLs, and executable files as well as binary image files for the Listener itself. Even if you change this default setting, there still remains danger in the case of a new "ows-bin" directory has batch files.
* References:
http://www.securityfocus.com/bid/1053 |
| Recommendation |
Oracle's Web Listener (a component of Oracle Application Server) is installed, and can be used by a remote attacker to run arbitrary commands on the web server. |
| Related URL |
CVE-2000-0169 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
