Oracle 9iAS soapdocs Directory Remote Information Disclosure

#%NASL_MIN_LEVEL 70300
#
# This script was written by Javier Fernandez-Sanguino <[email protected]>
# 
# This software is distributed under the GPL license, please
# read the license at http://www.gnu.org/licenses/licenses.html#TOCGPL
#

# Changes by Tenable:
# - Revised plugin title (6/9/09)

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(11223);
  script_version("1.21");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
  script_xref(name:"CERT-CC", value:"CA-2002-08");

  script_name(english:"Oracle 9iAS soapdocs Directory Remote Information Disclosure");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by an information disclosure issue.");
  script_set_attribute(attribute:"description", value:
"It is possible to access the Oracle 9iAS Application Server's SOAP
documentation directory, which contain the install scripts used with the
default SOAP install.  These files might be useful for an attacker to
determine which application server is in use as well as the name of the
disk where Oracle is installed. 

Note that the default installation of Oracle 9iAS 1.0.2.2 does not seem
to suffer this issue.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/technetwork/index.html");
  script_set_attribute(attribute:"see_also", value:"http://www.nextgenss.com/papers/hpoas.pdf");
  script_set_attribute(attribute:"solution", value:
"Remove the 'soapdocs' alias from the Oracle 9iAS 'http.conf'.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");

  script_set_attribute(attribute:"plugin_publication_date", value:"2003/02/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:application_server");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2003-2022 Javier Fernandez-Sanguino");

  script_dependencies("find_service1.nasl", "http_version.nasl");
  script_require_keys("www/OracleApache");
  script_require_ports("Services/www", 80);

  exit(0);
}

# Check starts here

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);

banner = get_http_banner(port:port);
if ("Oracle" >!< banner)
  exit (0);

if(get_port_state(port))
{ 

# Somebody needs to parse the Oracle documentation and put more files in
# these are just some examples out there.
  document[0]="ReleaseNotes.html";
  document[1]="docs/apiDocs/packages.html";
  document[2]="docs/apiDocs/org.apache.soap.util.xml.XMISerializer.html";

# This one is too big to be retrieved
#  document[X]="docs/apiDocs/AllNames.html"; 

    info = "";
    for  ( i=0; document[i]; i = i + 1 ) {
       req = http_get(item:string("/soapdocs/", document[i]), port:port);
       r = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
       if ( r == NULL ) exit(0);
       if ( "SOAP" >< r || "Index of" >< r || "Package Index" >< r || "Generated by javadoc"  >< r )
       {
         info += '  - /soapdocs/' + document[i] + '\n';
         if (!thorough_tests) break;
       }
   }  # of the for loop

  if (info)
  {
    if (max_index(split(info)) > 1) s = "s are";
    else s = " is";

    report = string(
      "\n",
      "The following SOAP document", s, " accessible :\n",
      "\n",
      info
    );
    security_warning(port:port, extra:report);
  }
# TODO:
# this should also check for some information in the documentation and retrieve the precise version.
# Sample:
# ReleasesNotes.html has <center>iAS v1.X.X.X</center>  which indicates the Oracle iAS version

}