| VID |
22046 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The XSQLServlet XSQLConfig.xml source file in the Oracle 9iAS is accessed. A security issue exists in a default installation of Oracle 9iAS where an attacker can get access to the source code of the XSQL configuration file, which is found at $ORACLE_HOME$/xsql/lib/XSQLConfig.xml and contains connection information such as database server host name, user IDs and password.
To check if your site is vulnerable open, you can test it like the following:
http://oracleserver/servlet/oracle.xml.xsql.XSQLServlet/xsql/lib/XSQLConfig.xml
* References:
http://www.cert.org/advisories/CA-2002-08.html
http://www.iss.net/security_center/static/8453.php |
| Recommendation |
Move the 'XSQLConfig.xml' file at '$ORACLE_HOME$/xsql/lib/XSQLConfig.xml' to a safer location and update your servlet engine's configuration file to reflect the change. |
| Related URL |
CVE-2002-0568,CVE-2002-0569 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
