Vulnerability Assessment & Network Security Forums

If through a vulnerability assessment, a network security issue is detected for the vulnerability below, applying the appropriate security patches in a timely matter is very important.  If you have detected that your system has already been compromised, following CERT's Network Security recovery document will assist with recommended steps for system recovery.

Home >> Browse Vulnerability Assessment Database >> Databases >> Oracle 9iAS default error information disclosure

Vulnerability Assessment Details

Oracle 9iAS default error information disclosure
Vulnerability Assessment Summary
Tries to retrieve the phisical path of files through Oracle9iAS

Detailed Explanation for this Vulnerability Assessment

Summary :

It is possible to obtain the physical path of the remote server
web root.

Description :

Oracle 9iAS permits remote attackers to obtain the physical path of a file
under the server root via a request for a non-existent .JSP file. The default
error generated leaks the pathname in an error message.

Solution :

Ensure that virtual paths of URL is different from the actual directory
path. Also, do not use the directory in
'ApJServMount ' to store data or files.

Upgrading to Oracle 9iAS 1.1.2.0.0 will also fix this issue.


See also :

http://otn.oracle.com/deploy/security/pdf/jspexecute_alert.pdf
http://www.kb.cert.org/vuls/id/278971
http://www.cert.org/advisories/CA-2002-08.html

http://www.nextgenss.com/papers/hpoas.pdf

Network Security Threat Level:

Low

Networks Security ID: 3341

Vulnerability Assessment Copyright: This script is Copyright (C) 2003 Javier Fernandez-Sanguino
Cables, Connectors


Cisco Systems NCS2K-20-SMRFS-L optical multiplexor CISCO EXCESS picture

Cisco Systems NCS2K-20-SMRFS-L optical multiplexor CISCO EXCESS

$3599.00


Cisco SG110 24 Port Gigabit Ethernet Switch w/ 2 x SFP SG110-24 picture

Cisco SG110 24 Port Gigabit Ethernet Switch w/ 2 x SFP SG110-24

$117.00


Cisco RV320 Dual WAN VPN 4 Port Gigabit Router w/ Web Filtering RV320-WB-K9-NA picture

Cisco RV320 Dual WAN VPN 4 Port Gigabit Router w/ Web Filtering RV320-WB-K9-NA

$374.00


Cisco NC55-MPA-12T-S Port Adapter NCS 5500 Modular Chassis CISCO EXCESS UNIT picture

Cisco NC55-MPA-12T-S Port Adapter NCS 5500 Modular Chassis CISCO EXCESS UNIT

$3900.00


Cisco WS-C3850-48P-L 48-Port Gigabit 3850 PoE Switch w/ 715W+ C3850-NM-4-1G Mod picture

Cisco WS-C3850-48P-L 48-Port Gigabit 3850 PoE Switch w/ 715W+ C3850-NM-4-1G Mod

$83.00


Cisco C3850-NM-2-10G 2 Port Network Exp.Module for 3850 picture

Cisco C3850-NM-2-10G 2 Port Network Exp.Module for 3850

$38.99


Genuine Cisco SFP-10G-SR V03 10GBASE-SR SFP+ Transceiver Module 10-2415-03 picture

Genuine Cisco SFP-10G-SR V03 10GBASE-SR SFP+ Transceiver Module 10-2415-03

$8.00


Cisco Catalyst WS-C2960-48TT-L V02 48 Port Fast Ethernet Switch picture

Cisco Catalyst WS-C2960-48TT-L V02 48 Port Fast Ethernet Switch

$34.00


UNCLAIMED Cisco Meraki MS120-24P-HW - 24Ports Ethernet PoE Switch Same Day Ship picture

UNCLAIMED Cisco Meraki MS120-24P-HW - 24Ports Ethernet PoE Switch Same Day Ship

$315.00


Cisco C9300-48 48 Port Switch Dual PSU W/C9300-NM-8X P/N: C9300-48U-A Tested picture

Cisco C9300-48 48 Port Switch Dual PSU W/C9300-NM-8X P/N: C9300-48U-A Tested

$799.99


Discussions

No Discussions have been posted on this vulnerability.