Oracle 9iAS Nonexistent .jsp File Request Error Message Path Disclosure

medium Nessus Plugin ID 11226

Synopsis

It is possible to obtain the physical path of the remote server web root.

Description

Oracle 9iAS allows remote attackers to obtain the physical path of a file under the server root via a request for a nonexistent .JSP file.
The default error generated leaks the pathname in an error message.

Solution

Ensure that virtual paths of URL is different from the actual directory path. Also, do not use the <servletzonepath> directory in 'ApJServMount <servletzonepath> <servletzone>' to store data or files.

Upgrading to Oracle 9iAS 1.1.2.0.0 will also fix this issue.

See Also

http://www.nessus.org/u?8d439be5

http://www.nessus.org/u?97653726

Plugin Details

Severity: Medium

ID: 11226

File Name: oracle9i_jspdefaulterror.nasl

Version: 1.29

Type: remote

Family: Databases

Published: 2/11/2003

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.3

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:oracle:application_server

Required KB Items: www/OracleApache

Exploit Ease: No known exploits are available

Patch Publication Date: 2/6/2002

Vulnerability Publication Date: 4/9/2004

Reference Information

CVE: CVE-2001-1372

BID: 3341

CERT: 278971

CERT-CC: CA-2002-08