Oracle JSP Apache/Jserv Path Translation Arbitrary JSP File Execution

This script is Copyright (C) 2002-2015 Michael Scheidell

Synopsis :

A remote web application is vulnerable to several flaws.

Description :

Detects Vulnerability in the execution of JSPs outside doc_root.

A potential security vulnerability has been discovered in Oracle JSP
releases 1.0.x through 1.1.1 (in Apache/Jserv). This vulnerability
permits access to and execution of unintended JSP files outside the
doc_root in Apache/Jserv. For example, accessing
will execute b.jsp outside the doc_root instead of a.jsp if there is a
b.jsp file in the matching directory.

Further, Jserv Releases 1.0.x - 1.0.2 have additional vulnerability:

Due to a bug in Apache/Jserv path translation, any URL that looks like:
http://host:port/servlets/a.jsp, makes Oracle JSP execute
'd:\servlets\a.jsp' if such a directory path actually exists. Thus, a
URL virtual path, an actual directory path and the Oracle JSP name
(when using Oracle Apache/JServ) must match for this potential
vulnerability to occur.

Vulnerable systems:
Oracle8i Release 8.1.7, iAS Release version 1.0.2
Oracle JSP, Apache/JServ Releases version 1.0.x - 1.1.1

Solution :

Upgrade to OJSP Release, available on Oracle
Technology Network's OJSP website.

Risk factor :

Medium / CVSS Base Score : 6.8

Family: Databases

Nessus Plugin ID: 10925 (jserv_execute.nasl)

Bugtraq ID:


Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now