Detections
Analytics

Oracle 9iAS XSQLServlet soapConfig.xml Authentication Credentials Disclosure

medium Nessus Plugin ID 11224

Language:

Synopsis

The remote web server is affected by an information disclosure vulnerability.

Description

In a default installation of Oracle 9iAS v.1.0.2.2.1, it is possible to access some configuration files. These files include detailed information on how the product was installed on the server including where the SOAP provider and service manager are located as well as administrative URLs to access them. They may also contain sensitive information (usernames and passwords for database access).

Solution

Modify the file permissions so that the web server process cannot retrieve it. Note however that if the XSQLServlet is present it might bypass filesystem restrictions.

See Also

http://www.nextgenss.com/papers/hpoas.pdf

https://www.oracle.com/technetwork/index.html

Plugin Details

Severity: Medium

ID: 11224

File Name: oracle9i_soapconfig.nasl

Version: 1.29

Type: remote

Family: Databases

Published: 2/11/2003

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.3

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:oracle:application_server

Required KB Items: www/OracleApache

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/10/2002

Reference Information

CVE: CVE-2002-0568

BID: 4290

CERT: 476619

CERT-CC: CA-2002-08