oracle.9i.path.txt

2001-09-19T00:00:00
ID PACKETSTORM:25299
Type packetstorm
Reporter KK Mookhey
Modified 2001-09-19T00:00:00

Description

                                        
                                            `Product: Oracle 9i Application Server.  
  
Description: The Oracle 9i Application Server uses the Apache web server for HTTP service.  
However, if a request is made for a non-existent .jsp file, the complete path is shown.  
For instance, if you were to make the following request at a server running Oracle 9iAS,  
http://server/Content/Home/anyfile.jsp,  
then the output would be:  
  
<Output begins>  
JSP Error:  
--------------------------------------------------------------------------------  
  
Request URI:/Content/Home/Jsp/anyfile.jsp  
  
Exception:  
javax.servlet.ServletException: java.io.FileNotFoundException:  
d:\oracle\ias\apache\apache\htdocs\company\content\home\jsp\anyfile.jsp  
(The system cannot find the file specified)  
--------------------------------------------------------------------------------  
<End of output>  
  
In case, this is already documented, my apologies. I couldn't find it in the vulnerabilities database of Security Focus, and a  
google search failed too.  
  
Severity: Minor irritation  
  
Systems Affected: I guess anyone running the product. I got the results on a Win 2K machine.  
  
Thats about it.  
  
K. K. Mookhey  
  
--Sorry, ran out of cool witticisms--  
`