lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4EDCD62E.5070307@apache.org>
Date: Mon, 05 Dec 2011 09:33:18 -0500
From: Leonardo Uribe <lu4242@...che.org>
To: security@...che.org, full-disclosure@...ts.grok.org.uk, 
	bugtraq@...urityfocus.com
Subject: [CVE-2011-4343] Apache MyFaces information
	disclosure vulnerability

--------------------------------------------------------------------------------------------------
CVE-2011-4343: Apache MyFaces information disclosure vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
             MyFaces Core 2.0.1 to 2.0.10
             MyFaces Core 2.1.0 to 2.1.4

Description:

If a submit outcome includes both faces-redirect=true and
includeViewParams=true
(or faces-include-view-params=true alias) it is possible to inject EL
expressions
directly into input fields mapped as view parameters.

Mitigation:

2.0.x users should update to 2.0.11
2.1.x users should update to 2.1.5
or apply the patch available on
https://issues.apache.org/jira/secure/attachment/12504807/MYFACES-3405-1.patch

Example:

Bean (request scoped):

private String value; // +getter+setter

public String submit() {
  String viewId = FacesContext.
getCurrentInstance().getViewRoot().getViewId();
  return viewId + "?faces-redirect=true&amp;includeViewParams=true";
}

View:

<f:metadata>
<f:viewParam name="value" value="#{bean.value}" />
</f:metadata>
<h:form>
<h:inputText value="#{bean.value}" />
<h:commandButton value="submit" action="#{bean.submit}" />
</h:form>

Credit: Issue reported on JAVASERVERFACES issue tracer by user BalusC,
and reported back to MyFaces by Frederick Kämpfer.

References:
https://issues.apache.org/jira/browse/MYFACES-3405 
<https://issues.apache.org/jira/browse/MYFACES-3405>
http://java.net/jira/browse/JAVASERVERFACES-2247 
<http://java.net/jira/browse/JAVASERVERFACES-2247>

--------------------------------------------------------------------------------------------------

regards,

Leonardo Uribe

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ