| VID |
22131 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Oracle 9i AS allows to access Java Process Manager without authentication.
The Oracle 9i AS (Application Server) includes the Apache web server and several Apache services which are installed by default.
In a default installation of Oracle 9i AS, a remote attacker can gain unauthorized access to the default services such as Java Process Manager and can gain sensitive information about the server via these services.
* References:
http://online.securityfocus.com/bid/4293
http://www.iss.net/security_center/static/8455.php |
| Recommendation |
As a workaround, edit 'httpd.conf' file to limit access to the following pages :
http://oracle_server/oprocmgr-status
http://oracle_server/oprocmgr-service
Refer to the following site for detail instructions:
http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf |
| Related URL |
CVE-2002-0563 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
