|
Family: Databases --> Category: infos
Oracle 9iAS default error information disclosure Vulnerability Scan
Vulnerability Scan Summary Tries to retrieve the phisical path of files through Oracle9iAS
Detailed Explanation for this Vulnerability Test
Synopsis :
It is possible to obtain the physical path of the remote server
web root.
Description :
Oracle 9iAS allows remote attackers to obtain the physical path of a file
under the server root via a request for a non-existent .JSP file. The default
error generated leaks the pathname in an error message.
Solution :
Ensure that virtual paths of URL is different from the actual directory
path. Also, do not use the directory in
'ApJServMount ' to store data or files.
Upgrading to Oracle 9iAS 1.1.2.0.0 will also fix this issue.
See also :
http://otn.oracle.com/deploy/security/pdf/jspexecute_alert.pdf
http://www.kb.cert.org/vuls/id/278971
http://www.cert.org/advisories/CA-2002-08.html
http://www.nextgenss.com/papers/hpoas.pdf
Threat Level:
Low
Click HERE for more information and discussions on this network vulnerability scan.
|