CVE-2002-0565 in Oracle9i
Summary
by MITRE
Oracle 9iAS 1.0.2.x compiles JSP files in the _pages directory with world-readable permissions under the web root, which allows remote attackers to obtain sensitive information derived from the JSP code, including usernames and passwords, via a direct HTTP request to _pages.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/23/2024
Oracle 9iAS 1.0.2.x contains a critical permission flaw that exposes compiled JSP files in the _pages directory with world-readable permissions under the web root. This vulnerability stems from improper file system permission configuration during the JSP compilation process, where the system fails to enforce proper access controls on compiled servlet files. The flaw allows remote attackers to directly access these compiled JSP files through HTTP requests, bypassing normal application security mechanisms. The _pages directory serves as the compilation target for JSP files, and when these files are created with overly permissive permissions, they become accessible to any remote user who can make HTTP requests to the web server. This represents a fundamental failure in the principle of least privilege, where sensitive application code and potentially sensitive runtime data are exposed to unauthorized access. The vulnerability is classified under CWE-732 as improper permission assignment for critical resources, which directly enables information disclosure attacks. From an operational perspective, this vulnerability can lead to complete application compromise as attackers can extract sensitive information including but not limited to database credentials, application logic, and potentially user data embedded within the JSP source code. The exposure of compiled JSP files can reveal application architecture details, business logic, and authentication mechanisms that would otherwise remain hidden. Attackers can leverage this information to plan more sophisticated attacks against the application or its underlying systems. The ATT&CK framework categorizes this as a privilege escalation technique through information gathering, where adversaries exploit weak access controls to obtain sensitive data. This vulnerability also aligns with ATT&CK technique T1552.001 for unsecured credentials, as the exposure of JSP code can reveal credential storage patterns and authentication mechanisms. The security impact extends beyond simple information disclosure as the compiled JSP files may contain embedded database connection strings, user authentication logic, and application-specific configuration data. This exposure can enable attackers to perform further reconnaissance and potentially escalate privileges within the application environment. The vulnerability affects the web application server's security posture by undermining the fundamental security boundary that should separate public web content from private application code. Organizations using Oracle 9iAS 1.0.2.x should immediately implement mitigations including proper file system permission configuration, ensuring that compiled JSP files in the _pages directory are not world-readable, and consider implementing additional access controls or web application firewalls to prevent direct access to sensitive directories. The remediation process should also include regular security audits of file permissions and access controls to prevent similar issues in other components of the application stack.