Summary
In a default installation of Oracle 9iAS v.1.0.2.2.1, it is possible to access some configuration files. These file includes detailed information on how the product was installed in the server including where the SOAP provider and service manager are located as well as administrative URLs to access them. They might also contain sensitive information (usernames and passwords for database access).
Solution
Modify the file permissions so that the web server process cannot retrieve it. Note however that if the XSQLServlet is present it might bypass filesystem restrictions.
More information:
http://otn.oracle.com/deploy/security/pdf/ojvm_alert.pdf http://www.cert.org/advisories/CA-2002-08.html
http://www.kb.cert.org/vuls/id/476619
Also read:
Hackproofing Oracle Application Server from NGSSoftware:
available at http://www.nextgenss.com/papers/hpoas.pdf
Severity
Classification
-
CVE CVE-2002-0568 -
CVSS Base Score: 2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities