Oracle 9iAS _pages Directory Compiled JSP Source Disclosure

This script is Copyright (C) 2002-2016 Matt Moore

Synopsis :

Sensitive data may be read on the remote host.

Description :

In a default installation of Oracle 9iAS it is possible to read the
source of JSP files. When a JSP is requested it is compiled 'on the fly'
and the resulting HTML page is returned to the user. Oracle 9iAS uses a
folder to hold the intermediate files during compilation. These files
are created in the same folder in which the .JSP page resides. Hence, it
is possible to access the .java and compiled .class files for a given
JSP page.

See also :

Solution :

Edit httpd.conf to disallow access to the _pages folder.

Risk factor :

Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.3
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 10852 ()

Bugtraq ID: 4034

CVE ID: CVE-2002-0565

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now