VULHUB ™

The Oracle 9iAS web service is powered by the Apache webserver. Included is support for delivery of JSP pages. Three files are created when a user requests a JSP page from a server running OracleJSP. These files contain potentially sensitive information. For example, if a file was named file.jsp, the naming convention for the files is as follows: _file$__jsp_StaticText.class _file.class _file.java These files are stored in the /_pages directory tree. The problem is that .java file contains source code and may be accessed by arbitrary web users. This may result in the disclosure of database authentication credentials to any user who can guess the path to the untranslated .java file, in addition to disclosing other types of potentially sensitive information. Furthermore, globals.jsa files may be accessed in this manner, also potentially disclosing sensitive information to remote attackers.

The Oracle 9iAS web service is powered by the Apache webserver. Included is support for delivery of JSP pages. Three files are created when a user requests a JSP page from a server running OracleJSP. These files contain potentially sensitive information. For example, if a file was named file.jsp, the naming convention for the files is as follows: _file$__jsp_StaticText.class _file.class _file.java These files are stored in the /_pages directory tree. The problem is that .java file contains source code and may be accessed by arbitrary web users. This may result in the disclosure of database authentication credentials to any user who can guess the path to the untranslated .java file, in addition to disclosing other types of potentially sensitive information. Furthermore, globals.jsa files may be accessed in this manner, also potentially disclosing sensitive information to remote attackers.