| VID |
22025 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The Oracle JSP/SQLJS Servlet allows viewing files and executing JSP outside the web root.
Directory traversal vulnerability in Oracle JSP 1.0.x through 1.1.1 and Oracle 8.1.7 iAS Release 1.0.2 can allow a remote attacker to view arbitrary files outside the web root, and also to execute arbitrary .JSP files on the same partiotion as the web server's root.
For examples:
1) The following URL:
http://oraclehost/a.jsp//..//..//..//..//..//../winnt/win.ini
shall read c:\winnt\win.ini. It is normal to receive an error to this request. To see the result go to: http://oraclehost/_pages/ and look in the directories for .java files containing "win".
2) The following URL:
http://oraclehost/servlet//..//../o.jsp
will execute c:\o.jsp if there is such file. As a side effect this shall create the directory C:\servlet\_pages\_servlet and shall put in it the java source and .class file of o.jsp.
* Note that this scanner solely relied on the banner of the remote Apache web server to assess this vulnerability.
* References:
http://www.securityfocus.com/bid/2286
http://www.guninski.com/orajsp.html |
| Recommendation |
Upgrade to OJSP Release 1.1.2.0.0, available on Oracle Technology Network's OJSP web site:
http://otn.oracle.com/software/tech/java/servlets/htdocs/listing.htm |
| Related URL |
CVE-2001-0591 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
