Signature Detail
This site is deprecated. Please CLICK HERE for latest updates
Short Name |
HTTP:INFO-LEAK:ORACLE-SQL |
|---|---|
Severity |
Minor |
Recommended |
No |
Category |
HTTP |
Keywords |
Oracle SQL Configuration Information Leakage |
Release Date |
2004/12/17 |
Update Number |
1213 |
Supported Platforms |
di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+ |
HTTP: Oracle SQL Configuration Information Leakage
This signature detects attempts to download the XSQLConfig.xml file used by Oracle Server. This file contains sensitive configuration information.
Extended Description
Oracle 9iAS includes two important configuration files called "XSQLConfig.xml" and "soapConfig.xml". The configuration files contain sensitive information, such as database usernames and passwords. Both of these files are accessible to remote clients without any authentication. It is possible for malicious users to access and read the files through a virtual directory. Possibly sensitive information disclosed to attackers may assist in further attacks.
Affected Products
- Oracle oracle8i_standard_edition 8.1.7
- Oracle oracle8i_standard_edition 8.1.7 .1
- Oracle oracle9i_application_server 1.0.2
- Oracle oracle9i_standard_edition 9.0.0
- Oracle oracle9i_standard_edition 9.0.1
References
- BugTraq: 4290
- CERT: CA-2002-08
- CVE: CVE-2002-0568
- URL: http://www.kb.cert.org/vuls/id/476619
- URL: http://www.securityspace.com/smysecure/catid.html?id=10855