The Oracle 9i Application Server uses the Apache web server for HTTP service. However, if a request is made for a non-existent .jsp file, the complete path is shown.
7664fb9699f9153f8a29bd25293535535a769474ec51aaf0571f6595ea53e20b
Product: Oracle 9i Application Server.
Description: The Oracle 9i Application Server uses the Apache web server for HTTP service.
However, if a request is made for a non-existent .jsp file, the complete path is shown.
For instance, if you were to make the following request at a server running Oracle 9iAS,
http://server/Content/Home/anyfile.jsp,
then the output would be:
<Output begins>
JSP Error:
--------------------------------------------------------------------------------
Request URI:/Content/Home/Jsp/anyfile.jsp
Exception:
javax.servlet.ServletException: java.io.FileNotFoundException:
d:\oracle\ias\apache\apache\htdocs\company\content\home\jsp\anyfile.jsp
(The system cannot find the file specified)
--------------------------------------------------------------------------------
<End of output>
In case, this is already documented, my apologies. I couldn't find it in the vulnerabilities database of Security Focus, and a
google search failed too.
Severity: Minor irritation
Systems Affected: I guess anyone running the product. I got the results on a Win 2K machine.
Thats about it.
K. K. Mookhey
--Sorry, ran out of cool witticisms--