Summary
In a default installation of Oracle 9iAS it is possible to read the source of JSP files. When a JSP is requested it is compiled 'on the fly' and the resulting HTML page is returned to the user. Oracle 9iAS uses a folder to hold the intermediate files during compilation. These files are created in the same folder in which the .JSP page resides. Hence, it is possible to access the .java and compiled .class files for a given JSP page.
Solution
Edit httpd.conf to disallow access to the _pages folder.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2002-0562 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities