Product: Oracle 9i Application Server. Description: The Oracle 9i Application Server uses the Apache web server for HTTP service. However, if a request is made for a non-existent .jsp file, the complete path is shown. For instance, if you were to make the following request at a server running Oracle 9iAS, http://server/Content/Home/anyfile.jsp, then the output would be: <Output begins> JSP Error: -------------------------------------------------------------------------------- Request URI:/Content/Home/Jsp/anyfile.jsp Exception: javax.servlet.ServletException: java.io.FileNotFoundException: d:\oracle\ias\apache\apache\htdocs\company\content\home\jsp\anyfile.jsp (The system cannot find the file specified) -------------------------------------------------------------------------------- <End of output> In case, this is already documented, my apologies. I couldn't find it in the vulnerabilities database of Security Focus, and a google search failed too. Severity: Minor irritation Systems Affected: I guess anyone running the product. I got the results on a Win 2K machine. Thats about it. K. K. Mookhey --Sorry, ran out of cool witticisms-- _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
