File Disclosure using df_next_page parameter in OracleAS Discussion Forum Portlet

2005.12.25
Credit: Johannes Greil
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2005-4550
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

SEC Consult Security Advisory < 20051223-1 > ======================================================================== title: < File Disclosure using df_next_page parameter in OracleAS Discussion Forum Portlet > program: < OracleAS Discussion Forum Portlet > vulnerable version: < Version of May 2005 > homepage: < http://www.oracle.com > found: < 2005-09-16 > by: < Johannes Greil > SEC-CONSULT / www.sec-consult.com ======================================================================== vendor description: ------------------- Oracle's business is information - how to manage it, use it, share it, protect it. For nearly three decades, Oracle, the world's largest enterprise software company, has provided the software and services that let organizations get the most up-to-date and accurate information from their business systems. [www.oracle.com] vulnerability overview: ----------------------- It is possible to read arbitrary files of the system such as the WEB-INF directory through the discussion forum portlet. An attacker needs to know the file names. proof of concept: ----------------- By requesting the forum URL and adding a null character "%00" to the "df_next_page" parameter, it is possible to retrieve the source code of the JSP files or other content on the server. e.g. $ GET http://$host/portal/page?_pageid=XXX,XXX&_dad=portal&_schema=PORTAL& df_next_page=htdocs/search.jsp%00 vulnerable versions: -------------------- Version of May 2005 http://www.oracle.com/technology/products/ias/portal/point_downloads.html#forum vendor status: -------------- vendor notified: 2005-09-26 vendor response: 2005-09-27 patch available: - The first response from Oracle was on 27th September (assigning bug numbers) with a more detailed answer on 28th September. They explicitly said that the forum is sample code and shouldn't be used in a production environment although it can be found in such installations. The last email from Oracle was on 21st October saying that they will fix it "hopefully within the next 4 weeks". Asking them for a status update at the beginning of December and another email on 19th December didn't trigger any responses hence this advisory is being released. solution: --------- Only use the forum portlet in test installations and not in a production environment. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ < Johannes Greil > / www.sec-consult.com / SGT ::: < tke, mei, bmu, dfa > :::


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top