Oracle 9iAS Java Process Manager /oprocmgr-status Anonymous Process Manipulation

This script is Copyright (C) 2002-2014 Matt Moore

Synopsis :

It is possible to obtain the list of Java processes running on the
remote host anonymously, as well as to start and stop them.

Description :

The remote host is an Oracle 9iAS server. By default, accessing
the location /oprocmgr-status via HTTP lets an attacker obtain
the list of processes running on the remote host, and even to
to start or stop them.

See also :

Solution :

Restrict access to /oprocmgr-status in httpd.conf

Risk factor :

Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.8
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 10851 ()

Bugtraq ID: 4293

CVE ID: CVE-2002-0563