Oracle JSP/SQLJSP Servlet Execution...
A problem in the Oracle8 database could allow a remote user to execute arbitrary .jsp files. Due to the handling of input by the Oracle JSP agent, it's possible for a remote user to access files that may be execution restricted. Upon connecting to a web server using the Oracle database, and running on a Windows 2000 system, it's possible for a user to execute java servlet pages on the same partition as the web server root. This is done by connecting to the web server, and requesting a file such as http://webhost/servlet//..//..//o.jsp, which would execute the file c:\o.jsp, presuming such a file existed, and that the web server root was on the c:\ partition. This would also create directory C:\servlet\_pages\_servlet, and copy the source and .class file of o.jsp into the created directory. This makes it possible for a user with knowledge of the web infrastructure to execute arbitrary .jsp files, and potentially learn information that could aide in gaining local access to the...
