Signature Detail
Short Name |
HTTP:INFO-LEAK:ORACLE-SQL |
|---|---|
Severity |
Medium |
Recommended |
No |
Category |
HTTP |
Keywords |
Oracle XSQLConfig leak |
Release Date |
2004/12/17 |
Update Number |
1213 |
Supported Platforms |
di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: Oracle SQL Configuration Information Leakage
This signature detects attempts to download the XSQLConfig.xml file used by Oracle Server. This file contains sensitive configuration information.
Extended Description
Oracle 9iAS includes two important configuration files called "XSQLConfig.xml" and "soapConfig.xml". The configuration files contain sensitive information, such as database usernames and passwords. Both of these files are accessible to remote clients without any authentication. It is possible for malicious users to access and read the files through a virtual directory. Possibly sensitive information disclosed to attackers may assist in further attacks.
Affected Products
- Oracle Oracle8i Standard Edition 8.1.7
- Oracle Oracle8i Standard Edition 8.1.7 .1
- Oracle Oracle9i Application Server 1.0.2
- Oracle Oracle9i Standard Edition 9.0.0
- Oracle Oracle9i Standard Edition 9.0.1
References
- BugTraq: 4290
- CERT: CA-2002-08
- CVE: CVE-2002-0568
- URL: http://www.kb.cert.org/vuls/id/476619
- URL: http://www.securityspace.com/smysecure/catid.html?id=10855