[NEWS] Oracle Application Server Discloses Full Path for Missing JSP Files

From: support@securiteam.com
Date: 10/07/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Oracle Application Server Discloses Full Path for Missing JSP Files
Message-Id: <20011007064411.2691B138C4@mail.der-keiler.de>
Date: Sun,  7 Oct 2001 08:44:11 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Oracle Application Server Discloses Full Path for Missing JSP Files
------------------------------------------------------------------------

SUMMARY

Oracle Application Server reveals the true path location of JSP files,
when non-existing files are requested.

DETAILS

An information disclosure vulnerability was discovered in Oracle 9i
Application Server. The embedded Apache web service will return the
complete path when a remote user requests a Java server page file that
does not exist.

Example:
http://[targethost]/Content/Home/anyfile.jsp

Results in: 

---
Request URI:/Content/Home/Jsp/anyfile.jsp

Exception:
javax.serv let.ServletException: java.io.FileNotFoundException: 
d:\oracle\ias\apache\apache\htdocs\company\content\home\jsp\anyfile.jsp
(The system cannot find the file specified)
---

Solution:
Follow the solution as it is described in the following article:
 <http://www.securiteam.com/exploits/5AP0H1F3GG.html> Workaround for the 
Unintended JSP Execution when using Oracle, Apache and JServ

ADDITIONAL INFORMATION

The information has been provided by  <mailto:kkmookhey@yahoo.com> KK 
Mookhey and  <mailto:secalert_us@oracle.com> Oracle Security Alerts.

======================================== 

This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 

==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages