Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2003-2022 Javier Fernandez-SanguinoORACLE9I_JSPDEFAULTERROR.NASL
HistoryFeb 11, 2003 - 12:00 a.m.

Oracle 9iAS Nonexistent .jsp File Request Error Message Path Disclosure

2003-02-1100:00:00
This script is Copyright (C) 2003-2022 Javier Fernandez-Sanguino
www.tenable.com
27
JSON

Oracle 9iAS allows remote attackers to obtain the physical path of a file under the server root via a request for a nonexistent .JSP file.
The default error generated leaks the pathname in an error message.

#%NASL_MIN_LEVEL 70300
#
# This script was written by Javier Fernandez-Sanguino <[email protected]>
#
# This software is distributed under the GPL license, please
# read the license at http://www.gnu.org/licenses/licenses.html#TOCGPL
#

# Changes by Tenable:
# - Revised plugin title (6/9/09)

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(11226);
  script_version("1.29");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2001-1372");
  script_bugtraq_id(3341);
  script_xref(name:"CERT-CC", value:"CA-2002-08");
  script_xref(name:"CERT", value:"278971");

  script_name(english:"Oracle 9iAS Nonexistent .jsp File Request Error Message Path Disclosure");

  script_set_attribute(attribute:"synopsis", value:
"It is possible to obtain the physical path of the remote server web
root.");
  script_set_attribute(attribute:"description", value:
"Oracle 9iAS allows remote attackers to obtain the physical path of a
file under the server root via a request for a nonexistent .JSP file.
The default error generated leaks the pathname in an error message.");
  # http://web.archive.org/web/20011105102510/http://otn.oracle.com/deploy/security/pdf/jspexecute_alert.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8d439be5");
  # http://web.archive.org/web/20030405210233/http://www.nextgenss.com/papers/hpoas.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?97653726");
  script_set_attribute(attribute:"solution", value:
"Ensure that virtual paths of URL is different from the actual directory
path. Also, do not use the <servletzonepath> directory in
'ApJServMount <servletzonepath> <servletzone>' to store data or files.

Upgrading to Oracle 9iAS 1.1.2.0.0 will also fix this issue.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2004/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2002/02/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2003/02/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:application_server");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2003-2022 Javier Fernandez-Sanguino");

  script_dependencies("find_service1.nasl", "http_version.nasl");
  script_require_keys("www/OracleApache");
  script_require_ports("Services/www", 80);

  exit(0);
}

# Check starts here

include("http_func.inc");
include("global_settings.inc");

port = get_http_port(default:80, embedded:TRUE);


if(get_port_state(port))
{
# Make a request for the configuration file

     errorjsp = "/nonexistent.jsp";
     req = http_get(item: errorjsp, port: port);
     soc = http_open_socket(port);
     if(soc) {
        send(socket:soc, data:req);
         r = http_recv(socket:soc);
         http_close_socket(soc);
         location = egrep(pattern:"java.io.FileNotFoundException:", string :r);
         if ( location )  {
	   foreach var line (split(location, keep:FALSE)) {
	     path = strstr(line, "java.io.FileNotFoundException:") - "java.io.FileNotFoundException:";
	     while (strlen(path) && path[0] == ' ')
	       path = substr(path, 1);
	     if (substr(errorjsp, 1) >< path) {
	       path = path - strstr(path, substr(errorjsp, 1));
	       if (path =~ "[/\\]$") path = substr(path, 0, strlen(path)-2);
	     }
	   }
	   if (strlen(path) && path !~ '^ +$') {
	     security_warning(port:port, extra: 'The web root physical path is :\n\n  '+ path+'\n');
	     exit(0);
	   }
	 }
     } # if (soc)
}
VendorProductVersionCPE
oracleapplication_servercpe:/a:oracle:application_server

Related

cve 1
openvas 4
nessus 2
cve
cve
CVE-2001-1372
2002-02-06 05:00:00
openvas
openvas
Oracle 9iAS default error information disclosure
2005-11-03 00:00:00
Oracle 9iAS default error information disclosure
2005-11-03 00:00:00
Non-Existant Page Physical Path Disclosure Vulnerability
2005-11-03 00:00:00
nessus
nessus
Nonexistent Page (404) Physical Path Disclosure
2003-06-11 00:00:00
Oracle Application Server Multiple Vulnerabilities
2012-01-24 00:00:00
JSON
Related for ORACLE9I_JSPDEFAULTERROR.NASL
cve1openvas4nessus2