[19186] in bugtraq
Solution for Potential Vunerability in Granting FilePermission to
daemon@ATHENA.MIT.EDU (Oracle Security Alerts)
Tue Feb 13 17:04:06 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3A88601B.7A407CFE@oracle.com>
Date: Mon, 12 Feb 2001 14:13:47 -0800
Reply-To: Oracle Security Alerts <secalert_us@ORACLE.COM>
From: Oracle Security Alerts <secalert_us@ORACLE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Solution for Potential Vulnerability in Granting FilePermission to
Oracle Java Virtual Machine
Versions Affected
Oracle8i Release 3 (8.1.7)
Oracle Application Server 9iAS Release 1.0.2.0.1
Platforms Affected
All
Description of the Problem
A potential vulnerability in Oracle JVM has been discovered. The Oracle
Servlet Engine in the Oracle JVM security policy recommends granting
file permissions in a very controlled manner. When this policy is
disregarded and FilePermission is granted to <<ALL FILES>> within a web
domain, there exists a potential vulnerability of viewing directories
and static files outside the web root with the help of .jsp and .sqljsp
extensions.
e.g.
call dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission',
'<<ALL FILES>>','read');
Thus, it may also be possible to execute .jsp files outside the web
root.
Likelihood of Occurrence
In a Netscape browser, a URL containing "the current hierarchy level"
(".") and/or "the level above this hierarchy level" ("..")
Solution
To avoid this vulnerability, grant permission to the explicit document
root file path only.
e.g.
call dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission',
'(actually directory path)','read');
