| VID |
22168 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Oracle9iAS server has the revealing vulnerability of the physical path of file via a non-existent .jsp file.
Oracle's Oracle9iAS server comes with an Apache-based web server and Java servlet engine for the HTTP server. Some versions of Oracle9iAS allow a remote attacker to gain the physical path of file on the web server. This vulnerability arises when a remote attacker requests a non-existent file with the extension .jsp as the following URL:
http://target_server/non_existent_file.jsp
The server will return the error page, contains the physical path of file on the web server as the following:
JSP Error:
Request URI:/non_existent_file.jsp
Exception:
javax.servlet.ServletException: java.io.FileNotFoundException: /usr/local/oracle_home/Apache/Apache/htdocs/non_existent_file.jsp (No such file or directory)
Using this vulnerability, a remote attacker can gain sensitive information about a target server's file system and use it to perform the further attack.
* Platforms Affected :
Oracle9i Application Server 1.0.0
Oracle9i Application Server 1.0.1
Oracle9i Application Server 1.0.2
* References:
http://online.securityfocus.com/bid/3341
http://www.iss.net/security_center/static/7135.php |
| Recommendation |
Upgrade to the OJSP 1.1.2.0.0 from the oracle's web site: http://otn.oracle.com/software/tech/java/servlets/content.html
As the workaround, ensure that the virtual path in a URL is different from the actual directory path when using Oracle Apache/JServ. Also, don't use the <servletzonepath> directory in "ApJServMount <servletzonepath> <servletzone>" to store data or files. |
| Related URL |
CVE-2001-1372 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
