Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Oracle 9iAS .JSP File Request Default Error Information Disclosure

Medium

Synopsis

Oracle 9iAS allows remote attackers to obtain the physical path of a file under the server root via a request for a non-existent .JSP file.

Description

Oracle 9iAS allows remote attackers to obtain the physical path of a file under the server root via a request for a non-existent .JSP file. The default error generated leaks the pathname in an error message.

Solution

Ensure that virtual paths of URL is different from the actual directory path. Also, do not use the <servletzonepath> directory in 'ApJServMount <servletzonepath> <servletzone>' to store data or files.