Summary
It is possible to obtain the list of Java processes running on the remote host anonymously, as well as to start and stop them.
Description :
The remote host is an Oracle 9iAS server. By default, accessing the location /oprocmgr-status via HTTP lets an attacker obtain the list of processes running on the remote host, and even to to start or stop them.
Solution
Restrict access to /oprocmgr-status in httpd.conf
Severity
Classification
-
CVE CVE-2002-0563 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Apache Struts Showcase Multiple Persistence Cross-Site Scripting Vulnerabilities
- Adobe Presenter viewer.swf and loadflash.js XSS Vulnerability
- Alt-N WebAdmin Remote Source Code Information Disclosure Vulnerability
- Andy's PHP Knowledgebase Multiple Cross-Site Scripting Vulnerabilities
- 1024 CMS 1.1.0 Beta 'force_download.php' Local File Include Vulnerability