Oracle 9iAS _pages Directory Compiled JSP Source Disclosure

medium Nessus Plugin ID 10852

Synopsis

Sensitive data may be read on the remote host.

Description

In a default installation of Oracle 9iAS it is possible to read the source of JSP files. When a JSP is requested it is compiled 'on the fly' and the resulting HTML page is returned to the user. Oracle 9iAS uses a folder to hold the intermediate files during compilation. These files are created in the same folder in which the .JSP page resides. Hence, it is possible to access the .java and compiled .class files for a given JSP page.

Solution

Edit httpd.conf to disallow access to the _pages folder.

See Also

http://www.nessus.org/u?80fe4531

https://www.oracle.com/index.html

Plugin Details

Severity: Medium

ID: 10852

File Name: oracle9i_jsp_source.nasl

Version: 1.30

Type: remote

Family: Databases

Published: 2/7/2002

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:oracle:application_server_web_cache, cpe:/a:oracle:application_server

Required KB Items: www/OracleApache

Exploit Ease: No known exploits are available

Patch Publication Date: 2/6/2002

Vulnerability Publication Date: 2/7/2002

Reference Information

CVE: CVE-2002-0565

BID: 4034