COMMAND

    Oracle

SYSTEMS AFFECTED

    Oracle8i Release 3 (8.1.7), Oracle Application Server 9iAS Release 1.0.2.0.1

PROBLEM

    Following  is  based  on  a  Oracle  Security Alerts.  A potential
    vulnerability  in  Oracle  JVM  has  been  discovered.  The Oracle
    Servlet  Engine  in  the  Oracle  JVM  security  policy recommends
    granting file permissions in a very controlled manner.  When  this
    policy  is  disregarded  and  FilePermission  is  granted to <<ALL
    FILES>>  within   a  web   domain,  there   exists  a    potential
    vulnerability of viewing directories and static files outside  the
    web root with the help of .jsp and .sqljsp extensions.

    Example:

        call dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission', '<<ALL FILES>>','read');

    Thus, it may  also be possible  to execute .jsp  files outside the
    web root.

    Likelihood of occurrence: in a Netscape browser, a URL  containing
    "the current hierarchy level"  (".") and/or "the level  above this
    hierarchy level" (".."),

SOLUTION

    To  avoid  this  vulnerability,  grant  permission to the explicit
    document root file path only:

        call dbms_java.grant_permission('SCOTT', 'SYS:java.io.FilePermission', '(actually directory path)','read');