Oracle 9iAS Default Error Information Disclosure Network Vulnerability

Summary

It is possible to obtain the physical path of the remote server web root. Description : Oracle 9iAS allows remote attackers to obtain the physical path of a file under the server root via a request for a non-existent .JSP file. The default error generated leaks the pathname in an error message.

Solution

Ensure that virtual paths of URL is different from the actual directory path. Also, do not use the <servletzonepath> directory in 'ApJServMount <servletzonepath> <servletzone>' to store data or files. Upgrading to Oracle 9iAS 1.1.2.0.0 will also fix this issue. http://www.nextgenss.com/papers/hpoas.pdf

References

http://otn.oracle.com/deploy/security/pdf/jspexecute_alert.pdf
http://www.cert.org/advisories/CA-2002-08.html
http://www.kb.cert.org/vuls/id/278971

Updated on 2015-03-25

Severity

Classification

CVE CVE-2001-1372

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Alt-N WebAdmin Remote Source Code Information Disclosure Vulnerability
Apache Open For Business HTML injection vulnerability
Apache Tomcat TroubleShooter Servlet Installed
Apache Solr Directory Traversal Vulnerability Jan-14
Afian 'includer.php' Directory Traversal Vulnerability

Oracle 9iAS default error information disclosure

Take action and discover your vulnerabilities