Security Advisories | Path Disclosure | Oracle 9i Application Server Path Disclosure Vulnerability

Vendor: Oracle Corporation
Version Affected: All servers running Oracle iAS
Type: Path Disclosure
Severity: Medium

I. Description
Oracle 9iAS will display a default error page when a nonexistent ".jsp" file is specified. In the body of this page is the entire local path of the file on the server. This could pose privacy and security risks. An attacker could use this information to extrapolate the location of other files on the victim's machine, and use this information in conjunction with another vulnerability.

II. Impact
 An intruder can gain sensitive information about a server's directory and file structure.

III. Solution
Upgrade to OJSP 1.1.2.0.0. Information available here. Please note that free registration is required to access this page. In Oracle's alert "Oracle Unintended JSP Execution Vulnerability" (pdf), Oracle recommends:
"Ensure that the virtual path in a URL is different from the actual directory path when using Oracle Apache/JServ. Also, do not use the <servletzonepath> directory in "ApJServMount <servletzonepath> <servletzone>" to store data or files."

Advisory References
 http://www.kb.cert.org/vuls/id/278971
http://www.securityfocus.com/bid/3341


Advisory Listing

SQL Injections

Buffer Overflows

Information Disclosure, Path Disclosure

Denial of Service

User Enumeration

Password Disclosure

Network Intelligence (I) Pvt. Ltd. © 2004 | Copyright | Disclaimer
info@niiconsulting.com