CVE-2005-4550

An unauthenticated remote attacker sends a crafted HTTP GET request to the OracleAS portal page, appending a null byte (`%00`) to the `df_next_page` parameter value (e.g., `df_next_page=htdocs/search.jsp%00`). The null byte terminates the string at the operating-system level, causing the server to read and return the source code of the specified JSP file or any other file on the system, bypassing the intended JSP compilation/execution path [ref_id=1][ref_id=2]. No authentication is required, and the attack complexity is low [ref_id=2].

The vulnerability resides in the OracleAS Discussion Forum Portlet (version May 2005), specifically in how the `df_next_page` parameter is processed by the PORTAL schema. The advisory does not name a specific function or file path within the portlet code, but the parameter is handled by the discussion forum JSP pages under the `htdocs/` directory [ref_id=1].

No official patch was released by Oracle for this vulnerability. The vendor characterized the forum portlet as sample code not intended for production use [ref_id=1]. The advisory's only remediation guidance is to restrict the forum portlet to test installations and avoid deploying it in production environments [ref_id=1][ref_id=2]. A proper fix would require input validation to strip or reject null bytes in the `df_next_page` parameter before the value is passed to file-system operations.

1. Identify a target running OracleAS Discussion Forum Portlet (May 2005) with the PORTAL schema. 2. Send a GET request to the portal page with a crafted `df_next_page` parameter ending in `%00`, e.g.: `GET http://$host/portal/page?_pageid=XXX,XXX&_dad=portal&_schema=PORTAL&df_next_page=htdocs/search.jsp%00` 3. The server returns the source code of the requested file instead of executing it [ref_id=1][ref_id=2].