发布时间 :2002-07-03 00:00:00
修订时间 :2016-10-17 22:20:43

[原文]Oracle 9i Application Server stores XSQL and SOAP configuration files insecurely, which allows local users to obtain sensitive information including usernames and passwords by requesting (1) XSQLConfig.xml or (2) soapConfig.xml through a virtual directory.

[CNNVD]Oracle 9i默认配置文件信息泄露漏洞(CNNVD-200207-048)

        Oracle 9iAS包含了两个重要的配置文件叫"XSQLConfig.xml"和"soapConfig.xml",它们分别是XSQL和SOAP组件的配置文件,其中存放了一些敏感信息比如数据库服务器主机名、数据库用户名和口令等等。
        Oracle 9iAS在这两个敏感文件的访问控制上存在问题,导致远程攻击者可能得到其中的信息。
        Oracle 9iAS对这些配置文件的访问没有做任何认证,任何客户端可以轻易地通过Web虚拟目录访问到这两个文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:oracle:application_server:1.0.2Oracle Application Server 9i 1.0.2

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20020206 Hackproofing Oracle Application Server paper

- 漏洞信息

Oracle 9i默认配置文件信息泄露漏洞
低危 配置错误
2002-07-03 00:00:00 2005-10-20 00:00:00
        Oracle 9iAS包含了两个重要的配置文件叫"XSQLConfig.xml"和"soapConfig.xml",它们分别是XSQL和SOAP组件的配置文件,其中存放了一些敏感信息比如数据库服务器主机名、数据库用户名和口令等等。
        Oracle 9iAS在这两个敏感文件的访问控制上存在问题,导致远程攻击者可能得到其中的信息。
        Oracle 9iAS对这些配置文件的访问没有做任何认证,任何客户端可以轻易地通过Web虚拟目录访问到这两个文件。

- 公告与补丁

        * 对两个配置文件设置正确的访问权限,禁止匿名用户访问。

- 漏洞信息

Oracle Application Server XSQLServlet soapConfig.xml Authentication Credentials Disclosure
Vendor Verified

- 漏洞描述

Oracle 9i Application Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker accesses soapConfig.xml, which will disclose sensitive server information resulting in a loss of confidentiality.

- 时间线

2002-01-10 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Protect the soapConfig.xml file by moving it to a non-presentation area of the server.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Oracle 9i Default Configuration File Information Disclosure Vulnerability
Configuration Error 4290
Yes No
2002-02-06 12:00:00 2009-07-11 11:56:00
Credited to David Litchfield.

- 受影响的程序版本

Oracle Oracle9i Standard Edition 9.0.1
Oracle Oracle9i Standard Edition 9.0
Oracle Oracle9i Application Server 1.0.2
Oracle Oracle8i Standard Edition 8.1.7 .1
Oracle Oracle8i Standard Edition 8.1.7

- 漏洞讨论

Oracle 9iAS includes two important configuration files called "XSQLConfig.xml" and "soapConfig.xml". The configuration files contain sensitive information, such as database usernames and passwords.

Both of these files are accessible to remote clients without any authentication. It is possible for malicious users to access and read the files through a virtual directory.

Possibly sensitive information disclosed to attackers may assist in further attacks.

- 漏洞利用

No exploit is required.

- 解决方案

Administrators are advised to block access to this file by modifying its permissions.

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 相关参考