Oracle 9iAS Nonexistent .jsp File Request Error Message Path Disclosure

This script is Copyright (C) 2003-2014 Javier Fernandez-Sanguino

Synopsis :

It is possible to obtain the physical path of the remote server web

Description :

Oracle 9iAS allows remote attackers to obtain the physical path of a
file under the server root via a request for a nonexistent .JSP file.
The default error generated leaks the pathname in an error message.

See also :

Solution :

Ensure that virtual paths of URL is different from the actual directory
path. Also, do not use the <servletzonepath> directory in
'ApJServMount <servletzonepath> <servletzone>' to store data or files.

Upgrading to Oracle 9iAS will also fix this issue.

Risk factor :

Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.3
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 11226 ()

Bugtraq ID: 3341

CVE ID: CVE-2001-1372