cbcvebase.
CVE-2005-4550
published 2005-12-28

CVE-2005-4550: The PORTAL schema in Oracle Application Server (OracleAS) Discussion Forum Portlet allows remote attackers to obtain the source code for arbitrary JSP and…

PriorityP429medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
6.09%
92.5th percentile
The PORTAL schema in Oracle Application Server (OracleAS) Discussion Forum Portlet allows remote attackers to obtain the source code for arbitrary JSP and other files via a df_next_page parameter with a trailing null byte (%00).

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/portal/page?_pageid=XXX,XXX&_dad=portal&_schema=PORTAL&df_next_page=htdocs/forums.jsp&RowKeyValue=alert(document.cookie)
urlhttp://www.example.com/portal/page?_pageid=XXX,XXX&_dad=portal&_schema=PORTAL&df_next_page=htdocs/search.jsp%00
path/portal/page
pathhtdocs/search.jsp%00
pathhtdocs/forums.jsp
  • Detect source code disclosure attempts by monitoring HTTP requests to /portal/page where the df_next_page parameter contains a trailing null byte (%00), indicating an attempt to bypass file extension filtering and retrieve raw JSP/file source.
  • Monitor requests to OracleAS portal endpoints for the _schema=PORTAL and _dad=portal query parameters combined with a df_next_page value ending in %00, which is the specific attack pattern for this CVE.
  • Detect XSS attempts against the Discussion Forum Portlet by alerting on requests to /portal/page where the RowKeyValue parameter contains JavaScript payloads such as alert(document.cookie).
  • The PORTAL schema in OracleAS Discussion Forum Portlet is the targeted component; restrict or alert on external access to portal pages exposing the df_next_page parameter.
  • ·Oracle Application Server Discussion Forum Portlet is not intended for production use; deployments in production environments are inherently misconfigured and should be removed.
  • ·All versions of Oracle Application Server Discussion Forum Portlet are considered vulnerable to these issues; there is no safe version to deploy.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.