Oracle 9iAS Jsp Source File Reading Network Vulnerability

Summary

In a default installation of Oracle 9iAS it is possible to read the source of JSP files. When a JSP is requested it is compiled 'on the fly' and the resulting HTML page is returned to the user. Oracle 9iAS uses a folder to hold the intermediate files during compilation. These files are created in the same folder in which the .JSP page resides. Hence, it is possible to access the .java and compiled .class files for a given JSP page.

Solution

Edit httpd.conf to disallow access to the _pages folder.

References

http://www.oracle.com
http://wwww.nextgenss.com/advisories/orajsa.txt

Updated on 2015-03-25

Severity

Classification

CVE CVE-2002-0562

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Allegro RomPager HTTP Referer Header Cross Site Scripting Vulnerability
An Image Gallery Multiple Cross-Site Scripting Vulnerability
Apache Tomcat RemoteFilterValve Security Bypass Vulnerability
AfterLogic WebMail Pro Multiple Cross Site Scripting Vulnerabilities
Alt-N WebAdmin Remote Source Code Information Disclosure Vulnerability

Take action and discover your vulnerabilities