COMMAND

	Oracle JSP translation file access

SYSTEMS AFFECTED

	Oracle 9iAS, all operating systems

PROBLEM

	In     David     Litchfield     [http://www.nextgenss.com]      advisory
	[#NISR06022002C] :
	

	The web service with Oracle 9iAS is powered by Apache and provides  many
	application environments with which to offer  services  from  the  site.
	These include SOAP, PL/SQL, XSQL and JSP. A  security  issue  exists  in
	the OracleJSP environment where  an  attacker  can  get  access  to  the
	source code of the of the translated JSP page. There is a  second  issue
	relates to an attacker gaining access to the globals.jsa contents.
	

	

	 Details

	 *******

	

	When a user requests a JSP page from a server running OracleJSP the  JSP
	page is  translated,  compiled  and  executed  with  the  results  being
	returned  to  the  requesting  client.   During   this   process   three
	intermediary  files  are  created.  Assuming  the  JSP  page  is   named
	\"foo.jsp\"
	

	_foo$__jsp_StaticText.class

	_foo.class

	_foo.java

	

	these are stored in the /_pages  directory.  If  foo.jsp  existed  in  a
	subdirectory named \"bar\",  i.e.  /bar/foo.jsp,  a  \"_bar\"  directory
	would be created under the \"_pages\"  directory  and  the  three  files
	placed here.
	

	For more details on exact naming conventions please read
	

	http://download-west.oracle.com/otndoc/oracle9i/901_doc/java.901/a90208/trandepl.htm

	

	

	The problem arises due to the fact that translated .java  file  contains
	the clear text source code and these can be accessed directlys. As  this
	will often contain sensitive information such as a database  UserID  and
	password and business logic this is considered as a security risk.
	

	

	Further to this if the JSP application is using a globals.jsa  file  for
	setting application wide settings an attacker may access  this  directly
	and gain access to the contents. This poses  the  same  threat:  as  the
	globals.jsa can contain sensitive information it must be protected.

SOLUTION

	To address  these  problems  edit  the  httpd.conf  file  found  in  the
	$ORACLE_HOME$/apache/apache/conf directory, and :
	

	To prevent access to the globals.jsa file add the following entry:
	 

	<Files ~ \"^\\globals.jsa\">

	    Order allow,deny

	    Deny from all

	</Files>

	

	To prevent access to the .java pages add the following entry:
	 

	<Location /_pages>

	    Order deny,allow

	    Deny from all

	</Location>

	

	Note that if the JSP pages are stored in a aliased directory  (i.e.  not
	a subdirectory of \"htdocs\") then it is neccessary to add an entry of
	 

	<Location /dirname/_pages>

	    Order deny,allow

	    Deny from all

	</Location>

	

	when \"dirname\" is the name of the aliased directory.