Test ID:	1.3.6.1.4.1.25623.1.0.11224
Category:	Web application abuses
Title:	Oracle 9iAS SOAP configuration file retrieval
Summary:	In a default installation of Oracle 9iAS v.1.0.2.2.1, it is possible to; access some configuration files. These file includes detailed; information on how the product was installed in the server; including where the SOAP provider and service manager are located; as well as administrative URLs to access them. They might also; contain sensitive information (usernames and passwords for database; access).
Description:	Summary: In a default installation of Oracle 9iAS v.1.0.2.2.1, it is possible to access some configuration files. These file includes detailed information on how the product was installed in the server including where the SOAP provider and service manager are located as well as administrative URLs to access them. They might also contain sensitive information (usernames and passwords for database access). Solution: Modify the file permissions so that the web server process cannot retrieve it. Note however that if the XSQLServlet is present it might bypass filesystem restrictions. CVSS Score: 2.1 CVSS Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2002-0568 BugTraq ID: 4290 http://www.securityfocus.com/bid/4290 Bugtraq: 20020206 Hackproofing Oracle Application Server paper (Google Search) http://marc.info/?l=bugtraq&m=101301813117562&w=2 http://www.cert.org/advisories/CA-2002-08.html CERT/CC vulnerability note: VU#476619 http://www.kb.cert.org/vuls/id/476619 http://www.nextgenss.com/papers/hpoas.pdf
Copyright	Copyright (C) 2003 Javier Fernandez-Sanguino

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.