Oracle Database Server version 9iAS makes JSP source code publicly available. The source code may be used by attackers to analyze proprietary business logic or uncover Oracle's network configuration, usernames, and/or passwords.
When Oracle receives a request for JSP file, it compiles the file in a temporary directory under the "_pages" directory. The compilation of each JSP file results in a ".java" file, which contains Java bytecode and the original JSP source code. Since the "_pages" directory is publicly available over the Internet, any remote user can download the ".java" file and read the JSP source code.
An attacker may analyze JSP source code to determine Oracle usernames and passwords, database configuration, or other business logic that may be helpful for mounting more attacks.
The CERT/CC is currently unaware of a solution to this problem from the vendor.
The following workarounds were suggested by David Litchfield and have not been tested by CERT/CC.
Edit the httpd.conf file found in the $ORACLE_HOME$/apache/apache/conf directory.
Thanks to David Litchfield for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-02-27|
|Date Last Updated:||2002-03-12 21:08 UTC|