Vulnerability Note VU#547459
Oracle 9iAS creates temporary files when processing JSP requests that are world-readable
Oracle Database Server version 9iAS makes JSP source code publicly available. The source code may be used by attackers to analyze proprietary business logic or uncover Oracle's network configuration, usernames, and/or passwords.
When Oracle receives a request for JSP file, it compiles the file in a temporary directory under the "_pages" directory. The compilation of each JSP file results in a ".java" file, which contains Java bytecode and the original JSP source code. Since the "_pages" directory is publicly available over the Internet, any remote user can download the ".java" file and read the JSP source code.
An attacker may analyze JSP source code to determine Oracle usernames and passwords, database configuration, or other business logic that may be helpful for mounting more attacks.
The CERT/CC is currently unaware of a solution to this problem from the vendor.
The following workarounds were suggested by David Litchfield and have not been tested by CERT/CC.
Edit the httpd.conf file found in the $ORACLE_HOME$/apache/apache/conf directory.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Oracle||Affected||07 Feb 2002||26 Feb 2002|
CVSS Metrics (Learn More)
Thanks to David Litchfield for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
- CVE IDs: Unknown
- Date Public: 06 Feb 2002
- Date First Published: 26 Feb 2002
- Date Last Updated: 12 Mar 2002
- Severity Metric: 11.25
- Document Revision: 11
If you have feedback, comments, or additional information about this vulnerability, please send us email.