Test ID:	1.3.6.1.4.1.25623.1.0.11226
Category:	Web application abuses
Title:	Oracle 9iAS default error information disclosure
Summary:	Oracle 9iAS allows remote attackers to obtain the physical path of a file; under the server root via a request for a non-existent .JSP file. The default; error generated leaks the pathname in an error message.
Description:	Summary: Oracle 9iAS allows remote attackers to obtain the physical path of a file under the server root via a request for a non-existent .JSP file. The default error generated leaks the pathname in an error message. Solution: Ensure that virtual paths of URL is different from the actual directory path. Also, do not use the directory in 'ApJServMount ' to store data or files. Upgrading to Oracle 9iAS 1.1.2.0.0 will also fix this issue. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2001-1372 BugTraq ID: 3341 http://www.securityfocus.com/bid/3341 Bugtraq: 20010917 Yet another path disclosure vulnerability (Google Search) http://marc.info/?l=bugtraq&m=100074087824021&w=2 Bugtraq: 20010921 Response to "Path disclosure vulnerability in Oracle 9i and 8i (Google Search) http://marc.info/?l=bugtraq&m=100119633925473&w=2 http://www.cert.org/advisories/CA-2002-08.html CERT/CC vulnerability note: VU#278971 http://www.kb.cert.org/vuls/id/278971 http://www.nii.co.in/research.html XForce ISS Database: oracle-jsp-reveal-path(7135) https://exchange.xforce.ibmcloud.com/vulnerabilities/7135
Copyright	Copyright (C) 2003 Javier Fernandez-Sanguino

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.