Yet another path disclosure vulnerability

["KK Mookhey" <kkmookhey () yahoo com>]

Product: Oracle 9i Application Server.

Description: The Oracle 9i Application Server uses the Apache web server for HTTP service.
However, if a request is made for a non-existent .jsp file, the complete path is shown.
For instance, if you were to make the following request at a server running Oracle 9iAS,
http://server/Content/Home/anyfile.jsp,
then the output would be:

<Output begins>
                                            JSP Error:
--------------------------------------------------------------------------------

Request URI:/Content/Home/Jsp/anyfile.jsp

Exception:
javax.servlet.ServletException: java.io.FileNotFoundException:
d:\oracle\ias\apache\apache\htdocs\company\content\home\jsp\anyfile.jsp
(The system cannot find the file specified)
--------------------------------------------------------------------------------
<End of output>

In case, this is already documented, my apologies. I couldn't find it in the vulnerabilities database of Security 
Focus, and a
google search failed too.

Severity: Minor irritation

Systems Affected: I guess anyone running the product. I got the results on a Win 2K machine.

Thats about it.

K. K. Mookhey

--Sorry, ran out of cool witticisms--


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com