In a default installation of Oracle 9iAS v.220.127.116.11.1, it is possible to access some configuration files. These file includes detailed information on how the product was installed in the server including where the SOAP provider and service manager are located as well as administrative URLs to access them. They might also contain sensitive information (usernames and passwords for database access).
Modify the file permissions so that the web server process cannot retrieve it. Note however that if the XSQLServlet is present it might bypass filesystem restrictions. More information: http://otn.oracle.com/deploy/security/pdf/ojvm_alert.pdf http://www.cert.org/advisories/CA-2002-08.html http://www.kb.cert.org/vuls/id/476619 Also read: Hackproofing Oracle Application Server from NGSSoftware: available at http://www.nextgenss.com/papers/hpoas.pdf