Oracle 9iAS globals.jsa Database Credential Remote Disclosure

medium Nessus Plugin ID 10850

Synopsis

Sensitive data may be disclosed on the remote host.

Description

In the default configuration of Oracle 9iAS, it is possible to make requests for the globals.jsa file for a given web application. These files should not be returned by the server as they often contain sensitive information such as database credentials.

Solution

Edit httpd.conf to disallow access to *.jsa.

See Also

http://www.nessus.org/u?a1e12e40

https://www.oracle.com/index.html

Plugin Details

Severity: Medium

ID: 10850

File Name: oracle9i_globals_dot_jsa.nasl

Version: 1.28

Type: remote

Family: Databases

Published: 2/7/2002

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:oracle:application_server, cpe:/a:oracle:application_server_web_cache

Required KB Items: www/OracleApache

Exploit Ease: No known exploits are available

Patch Publication Date: 2/6/2002

Vulnerability Publication Date: 2/6/2002

Reference Information

CVE: CVE-2002-0562

BID: 4034