Full Disclosure mailing list archives
[CVE-2011-4343] Apache MyFaces information disclosure vulnerability
From: Leonardo Uribe <lu4242 () apache org>
Date: Mon, 05 Dec 2011 09:33:18 -0500
-------------------------------------------------------------------------------------------------- CVE-2011-4343: Apache MyFaces information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: MyFaces Core 2.0.1 to 2.0.10 MyFaces Core 2.1.0 to 2.1.4 Description: If a submit outcome includes both faces-redirect=true and includeViewParams=true (or faces-include-view-params=true alias) it is possible to inject EL expressions directly into input fields mapped as view parameters. Mitigation: 2.0.x users should update to 2.0.11 2.1.x users should update to 2.1.5 or apply the patch available on https://issues.apache.org/jira/secure/attachment/12504807/MYFACES-3405-1.patch Example: Bean (request scoped): private String value; // +getter+setter public String submit() { String viewId = FacesContext. getCurrentInstance().getViewRoot().getViewId(); return viewId + "?faces-redirect=true&includeViewParams=true"; } View: <f:metadata> <f:viewParam name="value" value="#{bean.value}" /> </f:metadata> <h:form> <h:inputText value="#{bean.value}" /> <h:commandButton value="submit" action="#{bean.submit}" /> </h:form> Credit: Issue reported on JAVASERVERFACES issue tracer by user BalusC, and reported back to MyFaces by Frederick Kämpfer. References:https://issues.apache.org/jira/browse/MYFACES-3405 <https://issues.apache.org/jira/browse/MYFACES-3405> http://java.net/jira/browse/JAVASERVERFACES-2247 <http://java.net/jira/browse/JAVASERVERFACES-2247>
-------------------------------------------------------------------------------------------------- regards, Leonardo Uribe
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [CVE-2011-4343] Apache MyFaces information disclosure vulnerability Leonardo Uribe (Dec 05)