JSP translation file access under Oracle 9iAS

From:	 "NGSSoftware Insight Security Research" <nisr@nextgenss.com>
To:	 <bugtraq@securityfocus.com>
Subject: JSP translation file access under Oracle 9iAS
Date:	 Wed, 6 Feb 2002 06:39:26 -0000

NGSSoftware Insight Security Research Advisory

Name:    OracleJSP
Systems Affected:  Oracle 9iAS
Platforms:  All Operating Systems
Severity:  Medium/High Risk
Vendor URL:   http://www.oracle.com/
Author:   David Litchfield (david@nextgenss.com)
Date:   6th February 2002
Advisory number: #NISR06022002C
Advisory URL:  http://www.nextgenss.com/advisories/orajsp.txt


Description
***********
The web service with Oracle 9iAS is powered by Apache and provides many
application environments with which to offer services from the site. These
include SOAP, PL/SQL, XSQL and JSP. A security issue exists in the OracleJSP
environment where an attacker can get access to the source code of the of
the translated JSP page. There is a second issue relates to an attacker
gaining access to the globals.jsa contents.


Details
*******
When a user requests a JSP page from a server running OracleJSP the JSP page
is translated, compiled and executed with the results being returned to the
requesting client. During this process three intermediary files are created.
Assuming the JSP page is named "foo.jsp"

_foo$__jsp_StaticText.class
_foo.class
_foo.java

these are stored in the /_pages directory. If foo.jsp existed in a
subdirectory named "bar", i.e. /bar/foo.jsp, a "_bar" directory would be
created under the "_pages" directory and the three files placed here.

For more details on exact naming conventions please read
http://download-west.oracle.com/otndoc/oracle9i/901_doc/java.901/a90208/tran
depl.htm


The problem arises due to the fact that translated .java file contains the
clear text source code and these can be accessed directlys. As this will
often contain sensitive information such as a database UserID and password
and business logic this is considered as a security risk.


Further to this if the JSP application is using a globals.jsa file for
setting application wide settings an attacker may access this directly and
gain access to the contents. This poses the same threat: as the globals.jsa
can contain sensitive information it must be protected.


Fix Information
***************
To address these problems edit the httpd.conf file found in the
$ORACLE_HOME$/apache/apache/conf directory.


To prevent access to the globals.jsa file add the following entry:

<Files ~ "^\globals.jsa">
    Order allow,deny
    Deny from all
</Files>

To prevent access to the .java pages add the following entry:

<Location /_pages>
    Order deny,allow
    Deny from all
</Location>


Note that if the JSP pages are stored in a aliased directory (i.e. not a
subdirectory of "htdocs") then it is neccessary to add an entry of

<Location /dirname/_pages>
    Order deny,allow
    Deny from all
</Location>

when "dirname" is the name of the aliased directory.


Oracle were informed of these issues on the 17th of December.