[22661] in bugtraq
Yet another path disclosure vulnerability
daemon@ATHENA.MIT.EDU (KK Mookhey)
Mon Sep 17 11:34:07 2001
X-Apparently-From: <kkmookhey@yahoo.com>
Message-ID: <014101c13f57$73652e40$0200a8c0@vsnl.net.in>
From: "KK Mookhey" <kkmookhey@yahoo.com>
To: <bugtraq@securityfocus.com>
Date: Mon, 17 Sep 2001 14:32:08 +0530
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Product: Oracle 9i Application Server.
Description: The Oracle 9i Application Server uses the Apache web server for HTTP service.
However, if a request is made for a non-existent .jsp file, the complete path is shown.
For instance, if you were to make the following request at a server running Oracle 9iAS,
http://server/Content/Home/anyfile.jsp,
then the output would be:
<Output begins>
JSP Error:
--------------------------------------------------------------------------------
Request URI:/Content/Home/Jsp/anyfile.jsp
Exception:
javax.servlet.ServletException: java.io.FileNotFoundException:
d:\oracle\ias\apache\apache\htdocs\company\content\home\jsp\anyfile.jsp
(The system cannot find the file specified)
--------------------------------------------------------------------------------
<End of output>
In case, this is already documented, my apologies. I couldn't find it in the vulnerabilities database of Security Focus, and a
google search failed too.
Severity: Minor irritation
Systems Affected: I guess anyone running the product. I got the results on a Win 2K machine.
Thats about it.
K. K. Mookhey
--Sorry, ran out of cool witticisms--
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
