NGSSoftware Insight Security Research Advisory

Name: 			OracleJSP 
Systems Affected: 	Oracle 9iAS
Platforms:		All Operating Systems
Severity:		Medium/High Risk
Vendor URL: 		http://www.oracle.com/
Author:			David Litchfield (david@nextgenss.com)
Date:			6th February 2002
Advisory number:	#NISR06022002C
Advisory URL:		http://www.nextgenss.com/advisories/orajsp.txt


Description
***********
The web service with Oracle 9iAS is powered by Apache and provides many application environments
with which to offer services from the site. These include SOAP, PL/SQL, XSQL and JSP. An security
issue exists in the OracleJSP environment where an attacker can get access to the source code
of the of the translated JSP page. There is a second issue relates to an attacker gaining access
to the globals.jsa contents.


Details
*******
When a user requests a JSP page from a server running OracleJSP the JSP page is translated, compiled
and executed with the results being returned to the rquesting client. During this process three
intermediary files are created. Assuming the JSP page is named "foo.jsp"

_foo$__jsp_StaticText.class
_foo.class
_foo.java

these are stored in the /_pages directory. If foo.jsp existed in a subdirectory named "bar",
i.e. /bar/foo.jsp, a "_bar" directory would be created under the "_pages" directory and the
three files placed here.

For more details on exact naming conventions please read
http://download-west.oracle.com/otndoc/oracle9i/901_doc/java.901/a90208/trandepl.htm


The problem arises due to the fact that translated .java file contains the clear text source code
and these can be accessed directlys. As this will often contain sensitive information such as a database
UserID and password and business logic this is considered as a security risk.


Further to this if the JSP application is using a globals.jsa file for setting application wide settings
an attacker may access this directly and gain access to the contents. This poses the same threat: as
the globals.jsa can contain sensitive information it must be protected.


Fix Information
***************
To address these problems edit the httpd.conf file found in the $ORACLE_HOME$/apache/apache/conf
directory.


To prevent access to the globals.jsa file add the following entry:

<Files ~ "^\globals.jsa">
    Order allow,deny
    Deny from all
</Files>

To prevent access to the .java pages add the following entry:

<Location /_pages>
    Order deny,allow
    Deny from all
</Location>


Note that if the JSP pages are stored in a aliased directory (i.e. not a subdirectory of "htdocs") then
it is neccessary to add an entry of

<Location /dirname/_pages>
    Order deny,allow
    Deny from all
</Location>

when "dirname" is the name of the aliased directory.


Oracle were informed of these issues on the 17th of December.