Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Oracle 9iAS SOAP Default Configuration Unauthenticated Application Deployment



A default installation of Oracle 9iAS v. was detected.


In a default installation of Oracle 9iAS v., it is possible to deploy or undeploy SOAP services without the need of any kind of credentials. This is due to SOAP being enabled by default after installation in order to provide a convenient way to use SOAP samples. However, this feature poses a threat to HTTP servers with public access since remote attackers can create SOAP services and then invoke them remotely. Since SOAP services can contain arbitrary Java code in Oracle 9iAS this means that an attacker can execute arbitrary code in the remote server.


Disable SOAP.