Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Oracle Security Alerts

Oracle Security Alerts

by Phiber on February 14th, 2001 A potential vulnerability in Oracle JVM has been discovered. The Oracle Servlet Engine in the Oracle JVM security policy recommends granting file permissions in a very controlled manner....


When this policy is disregarded and FilePermission is granted to <> within a web domain, there exists a potential vulnerability of viewing directories and static files outside the web root with the help of .jsp and .sqljsp extensions.





example:

call dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission',
'<>','read');

Thus, it may also be possible to execute .jsp files outside the web
root.



Likelihood of Occurrence:

In a Netscape browser, a URL containing "the current hierarchy level"
(".") and/or "the level above this hierarchy level" ("..")


Solution:

To avoid this vulnerability, grant permission to the explicit document
root file path only.



example:

call dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission',
'(actually directory path)','read');


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »