| VID |
22050 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The JSP source file in the Oracle 9iAS is accessed. The web service with Oracle 9iAS is powered by Apache and provides many application environments including SOAP, PL/SQL, XSQL, and JSP.
A security issue exists in a default installation of Oracle 9iAS where an attacker can get access to the source code of the translated JSP page. When a JSP is requested it is compiled 'on the fly' and the resulting HTML page is returned to the user. Oracle 9iAS uses a folder to hold the intermediate files during compilation. These files are created in the same folder in which the .JSP page resides. Hence, it is possible to access the .java and compiled .class files for a given JSP page.
* References:
http://www.cert.org/advisories/CA-2002-08.html
http://marc.info/?l=bugtraq&m=101301440005580&w=2 |
| Recommendation |
Edit the httpd.conf file found in the $ORACLE_HOME$/apache/apache/conf and add the following entries:
* To prevent access to the globals.jsa file add the following entry:
<Files ~ "^\globals.jsa">
Order allow,deny
Deny from all
</Files>
* To prevent access to the .java pages add the following entry:
<Location /_pages>
Order deny,allow
Deny from all
</Location>
* Note that if the JSP pages are stored in a aliased directory (i.e. not a subdirectory of "htdocs") then it is neccessary to add an entry of
<Location /dirname/_pages>
Order deny,allow
Deny from all
</Location>
Where "dirname" is the name of the aliased directory. |
| Related URL |
CVE-2002-0562 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
