| VID |
22169 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Oracle9iAS application server allows a remote attacker to access the SOAP documents.
The Oracle9iAS application server supports the SOAP(Simple Access Protocol), a simple and lightweight protocol for exchanging information between peers in a decentralized, distributed environment using XML, for Web administration of database services. The default Oracle9iAS is installed, is installed with SOAP components enabled by default. Also, it's possible for anonymous users to access SOAP documents. These files can be useful for a remote attacker to gains the sensitive information about the target server and performs the further attacker. For examples, the "ReleasesNotes.html" file will disclose some information(such as Oracle iAS version, SOAP version, etc.) as the following:
In ReleaseNotes.html,
<center>iAS v1.X.X.X</center>
* References:
http://www.kb.cert.org/vuls/id/476619
http://www.cert.org/advisories/CA-2002-08.htm |
| Recommendation |
Remove the 'soapdocs' alias for unmapping with SOAP document's directory.
1. Open the Oracle 9iAS httpd.conf file.
2. Delete the 'soapdocs' alias from this file.
Alias /soapdocs/ $ORACLE_HOME/soap/docs/ |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
