Users login

Create an account »


Users login

Home » Hacking News » Oracle Security Alerts

Oracle Security Alerts

by Phiber on February 14th, 2001 A potential vulnerability in Oracle JVM has been discovered. The Oracle Servlet Engine in the Oracle JVM security policy recommends granting file permissions in a very controlled manner....

When this policy is disregarded and FilePermission is granted to <> within a web domain, there exists a potential vulnerability of viewing directories and static files outside the web root with the help of .jsp and .sqljsp extensions.


call dbms_java.grant_permission('SCOTT', '',

Thus, it may also be possible to execute .jsp files outside the web

Likelihood of Occurrence:

In a Netscape browser, a URL containing "the current hierarchy level"
(".") and/or "the level above this hierarchy level" ("..")


To avoid this vulnerability, grant permission to the explicit document
root file path only.


call dbms_java.grant_permission('SCOTT', '',
'(actually directory path)','read');

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »