Security Assessment Software - PCI DSS, Firewall Rulebase Analysis, AuditPro, Firesec, Security Assessment and Audit Software for all versions of Operating Systems, Databases, Routers, Switches, Windows, Unix, Linux, Oracle, MS SQL, IBM DB2, Cisco PIX, Cyberguard, Netscreen, Checkpoint Firewalls, GFI Languard, in India, Mumbai, Hyderabad, Delhi, Bangalore, Chennai, Kolkatta, UAE, Dubai, Kuwait, Bahrain, Qatar, Saudi Arabia, Malaysia, Singapore, Thailand, Far East, USA, Europe, North America.

Advisory Listing

SQL Injections

Oracle 9i Application Server Path Disclosure
Security Advisories \| Path Disclosure \| Oracle 9i Application Server Path Disclosure Vulnerability Vendor: Oracle Corporation Version Affected: All servers running Oracle iAS Type: Path Disclosure Severity: Medium
I. Description
Oracle 9iAS will display a default error page when a nonexistent ".jsp" file is specified. In the body of this page is the entire local path of the file on the server. This could pose privacy and security risks. An attacker could use this information to extrapolate the location of other files on the victim's machine, and use this information in conjunction with another vulnerability.
II. Impact
An intruder can gain sensitive information about a server's directory and file structure.
III. Solution
Upgrade to OJSP 1.1.2.0.0. Information available here. Please note that free registration is required to access this page. In Oracle's alert "Oracle Unintended JSP Execution Vulnerability" (pdf), Oracle recommends: "Ensure that the virtual path in a URL is different from the actual directory path when using Oracle Apache/JServ. Also, do not use the <servletzonepath> directory in "ApJServMount <servletzonepath> <servletzone>" to store data or files."
References
http://www.kb.cert.org/vuls/id/278971 http://www.securityfocus.com/bid/3341