| VID |
22144 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The WEB-INF directory of the Oracle 9i Application Server is accessible.
Oracle 9i Application Server (9iAS) is the web application server infrastructure distributed by Oracle. It has been reported that a problem exists in Oracle 9iAS with the WEB-INF directory. Under some circumstances, it may be possible for a remote user to gain access to the contents of the WEB-INF directory. In doing so, a remote user could potentially gain access to source code of web applications, and potentially other sensitive information.
* Platforms Affected:
Oracle 9i Application Server 1.0.2.2
Oracle 9i Application Server Release 2 9.0.2.0.0
Oracle 9i Application Server Release 2 9.0.2.0.1 |
| Recommendation |
Oracle has made a workaround available in Oracle Security Alert #28 at http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
For the this vulnerability, prevent access to all WEB-INF directories by adding the following entry to the main httpd.conf file as follows:
<DirectoryMatch WEB-INF>
Order deny,allow
Deny from all
</DirectoryMatch>
This vulnerability has reportedly been fixed in version 9.0.2.0.1 of Oracle 9i Application Server for Microsoft Windows NT, and Oracle 9i Application Server 9.0.3 for Unix, as listed in Oracle Security Alert #47 at http://otn.oracle.com/deploy/security/pdf/2002alert47rev1.pdf
Upgrades are available from http://otn.oracle.com/ |
| Related URL |
(CVE) |
| Related URL |
6461 (SecurityFocus) |
| Related URL |
10930 (ISS) |
|
