This script is Copyright (C) 2002-2014 Matt Moore
Sensitive data may be read on the remote host.
In a default installation of Oracle 9iAS it is possible to read the
source of JSP files. When a JSP is requested it is compiled 'on the fly'
and the resulting HTML page is returned to the user. Oracle 9iAS uses a
folder to hold the intermediate files during compilation. These files
are created in the same folder in which the .JSP page resides. Hence, it
is possible to access the .java and compiled .class files for a given
See also :
Edit httpd.conf to disallow access to the _pages folder.
Risk factor :
Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.3
Public Exploit Available : true