Oracle 9iAS Nonexistent .jsp File Request Error Message Path Disclosure

This script is Copyright (C) 2003-2014 Javier Fernandez-Sanguino


Synopsis :

It is possible to obtain the physical path of the remote server web
root.

Description :

Oracle 9iAS allows remote attackers to obtain the physical path of a
file under the server root via a request for a nonexistent .JSP file.
The default error generated leaks the pathname in an error message.

See also :

http://www.nessus.org/u?8d439be5
http://www.nessus.org/u?97653726

Solution :

Ensure that virtual paths of URL is different from the actual directory
path. Also, do not use the <servletzonepath> directory in
'ApJServMount <servletzonepath> <servletzone>' to store data or files.

Upgrading to Oracle 9iAS 1.1.2.0.0 will also fix this issue.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:H/RL:OF/RC:C)
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 11226 ()

Bugtraq ID: 3341

CVE ID: CVE-2001-1372