This is a MIME-formatted message.  If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_lexx-14373-1135326212-0001-2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

SEC Consult Security Advisory < 20051223-1 >
========================================================================
             title: < File Disclosure using df_next_page parameter
                      in OracleAS Discussion Forum Portlet >
           program: < OracleAS Discussion Forum Portlet >
vulnerable version: < Version of May 2005 >
          homepage: < http://www.oracle.com >
             found: < 2005-09-16 >
                by: < Johannes Greil > SEC-CONSULT / www.sec-consult.com
========================================================================

vendor description:
-------------------
Oracle's business is information - how to manage it, use it, share it,
protect it. For nearly three decades, Oracle, the world's largest
enterprise software company, has provided the software and services
that let organizations get the most up-to-date and accurate information
from their business systems.
[www.oracle.com]


vulnerability overview:
-----------------------

It is possible to read arbitrary files of the system such as the
WEB-INF directory through the discussion forum portlet. An attacker
needs to know the file names.


proof of concept:
-----------------

By requesting the forum URL and adding a null character "%00" to the
"df_next_page" parameter, it is possible to retrieve the source code of
the JSP files or other content on the server.

e.g.
$ GET
http://$host/portal/page?_pageid=XXX,XXX&_dad=portal&_schema=PORTAL&
df_next_page=htdocs/search.jsp%00


vulnerable versions:
--------------------

Version of May 2005
http://www.oracle.com/technology/products/ias/portal/point_downloads.html#forum


vendor status:
--------------
vendor notified: 2005-09-26
vendor response: 2005-09-27
patch available: -

The first response from Oracle was on 27th September (assigning bug
numbers) with a more detailed answer on 28th September. They explicitly
said that the forum is sample code and shouldn't be used in a production
environment although it can be found in such installations.

The last email from Oracle was on 21st October saying that they will fix
it "hopefully within the next 4 weeks". Asking them for a status update
at the beginning of December and another email on 19th December didn't
trigger any responses hence this advisory is being released.


solution:
---------

Only use the forum portlet in test installations and not in a production
environment.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
< Johannes Greil > / www.sec-consult.com /
SGT ::: < tke, mei, bmu, dfa > :::

--=_lexx-14373-1135326212-0001-2
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJNzCC
AvYwggJfoAMCAQICAw88NzANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwODAyMTIzMTEwWhcNMDYwODAyMTIzMTEw
WjBkMQ4wDAYDVQQEEwVHcmVpbDERMA8GA1UEKhMISm9oYW5uZXMxFzAVBgNVBAMTDkpvaGFu
bmVzIEdyZWlsMSYwJAYJKoZIhvcNAQkBFhdqLmdyZWlsQHNlYy1jb25zdWx0LmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgLAOvtJoQsA4wlIE1G49hqS9Icb4f9JmbM
+ehTvQgsVmpmEtCwAKxDxhe+/6lZjZyz9xh95SrVfA/2MlGUgUkE4QMLMxkf8qAvaF7n4AZo
KvRe8iMw5rnhXcUSWUmsx2RXAS9tKVFJjt7I5cb8VmE88gCpVDx2SPXIgpBXyjx4hOqhvEnV
ORHq6nwLJtD0C73RTxsVDefjZXQLXoyQl9jnYuedQMM67HXM9Hz3mL01SnOF1mGt9EE6vufe
B7OZYr1foutSL5EJna0xIjC19Vw0emetcYr362gXkNUCa/IJsbPIM8p9w4y6grHosunl0IXU
YOXbZ3JFTkogF2KAgLsCAwEAAaM0MDIwIgYDVR0RBBswGYEXai5ncmVpbEBzZWMtY29uc3Vs
dC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCCQoDIstXJyUfOMcr+1auf
H3nD2EGr5If//nrdDgn8teb8YC6d+rP/jX1KvhdffdBjioVxgjq8R1UDJlttHLwXV2E+DqX2
cfaOnBjx4BIwWs2J34qGcgzc2LFzJmRIGBiI31/qiHihWL3FM3ULigi83NSCl9BOi+0CM7vE
wqztVzCCAvYwggJfoAMCAQICAw88NzANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDUwODAyMTIzMTEwWhcNMDYwODAy
MTIzMTEwWjBkMQ4wDAYDVQQEEwVHcmVpbDERMA8GA1UEKhMISm9oYW5uZXMxFzAVBgNVBAMT
DkpvaGFubmVzIEdyZWlsMSYwJAYJKoZIhvcNAQkBFhdqLmdyZWlsQHNlYy1jb25zdWx0LmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgLAOvtJoQsA4wlIE1G49hqS9Ic
b4f9JmbM+ehTvQgsVmpmEtCwAKxDxhe+/6lZjZyz9xh95SrVfA/2MlGUgUkE4QMLMxkf8qAv
aF7n4AZoKvRe8iMw5rnhXcUSWUmsx2RXAS9tKVFJjt7I5cb8VmE88gCpVDx2SPXIgpBXyjx4
hOqhvEnVORHq6nwLJtD0C73RTxsVDefjZXQLXoyQl9jnYuedQMM67HXM9Hz3mL01SnOF1mGt
9EE6vufeB7OZYr1foutSL5EJna0xIjC19Vw0emetcYr362gXkNUCa/IJsbPIM8p9w4y6grHo
sunl0IXUYOXbZ3JFTkogF2KAgLsCAwEAAaM0MDIwIgYDVR0RBBswGYEXai5ncmVpbEBzZWMt
Y29uc3VsdC5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOBgQCCQoDIstXJyUfO
Mcr+1aufH3nD2EGr5If//nrdDgn8teb8YC6d+rP/jX1KvhdffdBjioVxgjq8R1UDJlttHLwX
V2E+DqX2cfaOnBjx4BIwWs2J34qGcgzc2LFzJmRIGBiI31/qiHihWL3FM3ULigi83NSCl9BO
i+0CM7vEwqztVzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYT
AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UE
ChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMg
RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqG
SIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBa
Fw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3Vs
dGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz
dWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRw
nd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn
8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJg
t/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0
dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1Ud
DwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJ
KoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A
9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH
1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggM7MIIDNwIBATBpMGIxCzAJ
BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD
VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDzw3MAkGBSsOAwIa
BQCgggGnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA1MTIy
MzA4MjMyMlowIwYJKoZIhvcNAQkEMRYEFOtTzgto4h28EjjQMeBPf4/jTXdHMFIGCSqGSIb3
DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcG
BSsOAwIHMA0GCCqGSIb3DQMCAgEoMHgGCSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0
ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMPPDcwegYLKoZIhvcNAQkQAgsxa6Bp
MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQu
MSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDzw3MA0G
CSqGSIb3DQEBAQUABIIBAEpEE7UjPywRnR2XdQ+F56507QPAkJJXotoZ5cJIWVggGaHTcmEM
0XDBDxWHhi1ENAYVxduhejnNChr7hwsSLYZ3w7wdSzpTW+Xuqg4FFrfXf105JlrTqle7Tp9/
SbVIBl/1cggTci7AfCvtwpC3dsV9y6+zlUjTg69hy/D13P1JM2GAY+Swpy0a4Ya8s7GovBnV
oD6s6YW5J8/5ykMIgwb8/HTirAB5GsWOhi4WBAfWyB42GrU5dijiApyi0RLPyTkho2MLP/ii
HAlRNxAjR31hIxbmtvuQZL/bAejgw1GVhAXqy94JmDAVug1D8riuwEMCbTBAjysH4OWxw87x
bIYAAAAAAAA=
--=_lexx-14373-1135326212-0001-2--