M-048: Oracle 9iAS Default Configuration Vulnerability Privacy and Legal Notice

CIAC ADVISORY NOTICE

M-048: Oracle 9iAS Default Configuration Vulnerability

[NGSSoftware Insight Security Research Advisory #NISR06022002C]

 February 27, 2002 20:00 GMT
PROBLEM: A vulnerability in the Oracle Database Server version 9iAS configuration could allow remote users to view the "globals.jas" file.
PLATFORM: Oracle 9iAS
DAMAGE: If exploited, an attacker could obtain information which may contain Oracle usernames and passwords.
SOLUTION: Apply workarounds listed
VULNERABILITY
ASSESSMENT:		 The risk is HIGH. An attacker could obtain usernames and passwords that can then be used to access the system.
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-048.shtml
  ORIGINAL BULLETIN: http://www.nextgenss.com/advisories/orajsp.txt 
[***** Start NGSSoftware Insight Security Research Advisory #NISR06022002C *****]

NGSSoftware Insight Security Research Advisory

Name: 			OracleJSP 
Systems Affected: 	Oracle 9iAS
Platforms:		All Operating Systems
Severity:		Medium/High Risk
Vendor URL: 		http://www.oracle.com/
Author:			David Litchfield (david@nextgenss.com)
Date:			6th February 2002
Advisory number:	#NISR06022002C
Advisory URL:		http://www.nextgenss.com/advisories/orajsp.txt


Description
***********
The web service with Oracle 9iAS is powered by Apache and provides many application 
environments with which to offer services from the site. These include SOAP, PL/SQL, 
XSQL and JSP. An security issue exists in the OracleJSP environment where an attacker 
can get access to the source code of the of the translated JSP page. There is a second 
issue relates to an attacker gaining access to the globals.jsa contents.


Details
*******
When a user requests a JSP page from a server running OracleJSP the JSP page is 
translated, compiled and executed with the results being returned to the requesting 
client. During this process three intermediary files are created. Assuming the JSP 
page is named "foo.jsp"

_foo$__jsp_StaticText.class
_foo.class
_foo.java

these are stored in the /_pages directory. If foo.jsp existed in a subdirectory named 
"bar", i.e. /bar/foo.jsp, a "_bar" directory would be created under the "_pages" 
directory and the three files placed here.

For more details on exact naming conventions please read
http://download-west.oracle.com/otndoc/oracle9i/901_doc/java.901/a90208/trandepl.htm


The problem arises due to the fact that translated .java file contains the clear text 
source code and these can be accessed directly. As this will often contain sensitive 
information such as a database UserID and password and business logic this is 
considered as a security risk.


Further to this if the JSP application is using a globals.jsa file for setting 
application wide settings an attacker may access this directly and gain access to the 
contents. This poses the same threat: as the globals.jsa can contain sensitive 
information it must be protected.


Fix Information
***************
To address these problems edit the httpd.conf file found in the 
$ORACLE_HOME$/apache/apache/conf directory.


To prevent access to the globals.jsa file add the following entry:


    Order allow,deny
    Deny from all


To prevent access to the .java pages add the following entry:


    Order deny,allow
    Deny from all



Note that if the JSP pages are stored in a aliased directory (i.e. not a subdirectory 
of "htdocs") then it is necessary to add an entry of


    Order deny,allow
    Deny from all


when "dirname" is the name of the aliased directory.


Oracle were informed of these issues on the 17th of December.

[***** End NGSSoftware Insight Security Research Advisory #NISR06022002C *****]
CIAC wishes to acknowledge the contributions of NGSSoftware Ltd. for the information contained in this bulletin.
DOE-CIRC can be contacted at: 
    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/