Oracle 9iAS soapdocs Directory Remote Information Disclosure

This script is Copyright (C) 2003-2014 Javier Fernandez-Sanguino


Synopsis :

The remote web server is affected by an information disclosure issue.

Description :

It is possible to access the Oracle 9iAS Application Server's SOAP
documentation directory, which contain the install scripts used with the
default SOAP install. These files might be useful for an attacker to
determine which application server is in use as well as the name of the
disk where Oracle is installed.

Note that the default installation of Oracle 9iAS 1.0.2.2 does not seem
to suffer this issue.

See also :

http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf
http://www.nextgenss.com/papers/hpoas.pdf

Solution :

Remove the 'soapdocs' alias from the Oracle 9iAS 'http.conf'.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Family: Databases

Nessus Plugin ID: 11223 ()

Bugtraq ID:

CVE ID: