NGSSoftware Insight Security Research Advisory Name: OracleJSP Systems Affected: Oracle 9iAS Platforms: All Operating Systems Severity: Medium/High Risk Vendor URL: http://www.oracle.com/ Author: David Litchfield (davidat_private) Date: 6th February 2002 Advisory number: #NISR06022002C Advisory URL: http://www.nextgenss.com/advisories/orajsp.txt Description *********** The web service with Oracle 9iAS is powered by Apache and provides many application environments with which to offer services from the site. These include SOAP, PL/SQL, XSQL and JSP. A security issue exists in the OracleJSP environment where an attacker can get access to the source code of the of the translated JSP page. There is a second issue relates to an attacker gaining access to the globals.jsa contents. Details ******* When a user requests a JSP page from a server running OracleJSP the JSP page is translated, compiled and executed with the results being returned to the requesting client. During this process three intermediary files are created. Assuming the JSP page is named "foo.jsp" _foo$__jsp_StaticText.class _foo.class _foo.java these are stored in the /_pages directory. If foo.jsp existed in a subdirectory named "bar", i.e. /bar/foo.jsp, a "_bar" directory would be created under the "_pages" directory and the three files placed here. For more details on exact naming conventions please read http://download-west.oracle.com/otndoc/oracle9i/901_doc/java.901/a90208/tran depl.htm The problem arises due to the fact that translated .java file contains the clear text source code and these can be accessed directlys. As this will often contain sensitive information such as a database UserID and password and business logic this is considered as a security risk. Further to this if the JSP application is using a globals.jsa file for setting application wide settings an attacker may access this directly and gain access to the contents. This poses the same threat: as the globals.jsa can contain sensitive information it must be protected. Fix Information *************** To address these problems edit the httpd.conf file found in the $ORACLE_HOME$/apache/apache/conf directory. To prevent access to the globals.jsa file add the following entry: <Files ~ "^\globals.jsa"> Order allow,deny Deny from all </Files> To prevent access to the .java pages add the following entry: <Location /_pages> Order deny,allow Deny from all </Location> Note that if the JSP pages are stored in a aliased directory (i.e. not a subdirectory of "htdocs") then it is neccessary to add an entry of <Location /dirname/_pages> Order deny,allow Deny from all </Location> when "dirname" is the name of the aliased directory. Oracle were informed of these issues on the 17th of December.
This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 11:20:51 PST