Oracle 9i Application Server (9iAS) installs multiple sample pages that allow remote attackers to obtain environment variables and other sensitive information via (1) info.jsp, (2) printenv, (3) echo, or (4) echo2.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Application_server | Oracle | 1.0.2 (including) | 1.0.2 (including) |
| Application_server | Oracle | 1.0.2.1s (including) | 1.0.2.1s (including) |
| Application_server | Oracle | 1.0.2.2 (including) | 1.0.2.2 (including) |
| Application_server | Oracle | 9.0.2.0.0 (including) | 9.0.2.0.0 (including) |
| Application_server | Oracle | 9.0.2.0.1 (including) | 9.0.2.0.1 (including) |
References
- http://www.kb.cert.org/vuls/id/717827
- http://www.kb.cert.org/vuls/id/SVIM-576QLZ
- http://www.nextgenss.com/papers/hpoas.pdf
- http://www.oracle.com/technology/deploy/security/pdf/ias_modplsql_alert.pdf
- http://www.securityfocus.com/bid/6556
- https://exchange.xforce.ibmcloud.com/vulnerabilities/8665
- http://www.kb.cert.org/vuls/id/717827
- http://www.kb.cert.org/vuls/id/SVIM-576QLZ
- http://www.nextgenss.com/papers/hpoas.pdf
- http://www.oracle.com/technology/deploy/security/pdf/ias_modplsql_alert.pdf
- http://www.securityfocus.com/bid/6556
- https://exchange.xforce.ibmcloud.com/vulnerabilities/8665