Software Engineering Institute

When Oracle receives a request for JSP file, it compiles the file in a temporary directory under the "_pages" directory. The compilation of each JSP file results in a ".java" file, which contains Java bytecode and the original JSP source code. Since the "_pages" directory is publicly available over the Internet, any remote user can download the ".java" file and read the JSP source code.

An attacker may analyze JSP source code to determine Oracle usernames and passwords, database configuration, or other business logic that may be helpful for mounting more attacks.

The CERT/CC is currently unaware of a solution to this problem from the vendor.

The following workarounds were suggested by David Litchfield and have not been tested by CERT/CC.

Edit the httpd.conf file found in the $ORACLE_HOME$/apache/apache/conf directory.

To prevent access to the globals.jsa file add the following entry:

<Files ~ "^\globals.jsa">
    Order allow,deny
    Deny from all
</Files>

To prevent access to the .java pages add the following entry:

<Location /_pages>
    Order deny,allow
    Deny from all
</Location>

Note that if the JSP pages are stored in a aliased directory (i.e. not a subdirectory of "htdocs") then it is neccessary to add an entry of

<Location /dirname/_pages>
    Order deny,allow
    Deny from all
</Location>

when "dirname" is the name of the aliased directory.