Oracle 9iAS _pages Directory Compiled JSP Source Disclosure

This script is Copyright (C) 2002-2014 Matt Moore

Synopsis :

Sensitive data may be read on the remote host.

Description :

In a default installation of Oracle 9iAS it is possible to read the
source of JSP files. When a JSP is requested it is compiled 'on the fly'
and the resulting HTML page is returned to the user. Oracle 9iAS uses a
folder to hold the intermediate files during compilation. These files
are created in the same folder in which the .JSP page resides. Hence, it
is possible to access the .java and compiled .class files for a given
JSP page.

See also :

Solution :

Edit httpd.conf to disallow access to the _pages folder.

Risk factor :

Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.3
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 10852 ()

Bugtraq ID: 4034

CVE ID: CVE-2002-0565

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial