CVE-2005-4549

Two attack vectors exist. First, a reflected XSS: an attacker crafts a malicious URL containing JavaScript in the "RowKeyValue" parameter and tricks a victim into clicking it, causing the script to execute temporarily [ref_id=1][ref_id=2]. Second, a stored XSS: an attacker posts a forum article with malicious script in the title or content fields; any user who views the article (or even just the overview page if the title is crafted to hide the article) will execute the stored script, enabling session cookie theft or other client-side attacks [ref_id=1][ref_id=2]. No authentication is required to trigger either vector [ref_id=2].

The advisory identifies the OracleAS Discussion Forum Portlet (version of May 2005) as the vulnerable component [ref_id=1][ref_id=2]. The URL parameter "RowKeyValue" in the PORTAL schema is not validated, and the title and content input fields when creating a forum article lack any filtering [ref_id=1][ref_id=2]. No patch or source code is provided in the bundle, so specific function names or file paths are not available.

No patch is available in the bundle. The advisory states that Oracle acknowledged the issue in September 2005 and indicated a fix would be provided within four weeks, but no patch was released before the advisory was published [ref_id=1][ref_id=2]. Oracle's response characterized the forum portlet as sample code not intended for production use, and the advisory's recommended remediation is to use the forum portlet only in test installations and not in a production environment [ref_id=1][ref_id=2].

**Reflected XSS:** Request a URL such as `http://$host/portal/page?_pageid=XXX,XXX&_dad=portal&_schema=PORTAL&df_next_page=htdocs/forums.jsp&RowKeyValue=