A few days ago this issue was reported to Mojarra: http://java.net/jira/browse/JAVASERVERFACES-2247.
It basically states that it is possible in JSF 2 to perform ValueExpression injection when includeViewParams is set to true on a navigation case.
To illustrate this in a better way, I created an example project at apache-extras, which shows the vulnerability: http://code.google.com/a/apache-extras.org/p/jsf-includeviewparams-security-hole-example/
Use the following steps to run the example:
- svn checkout http://svn.codespot.com/a/apache-extras.org/jsf-includeviewparams-security-hole-example/trunk/
- mvn clean jetty:run-exploded -PjettyConfig
- go to http://localhost:8080/include-view-params-security and follow the instructions
This vulnerability exists, because JSF treats the value of a view parameter as a ValueExpression when performing a navigation case with includeViewParams=true. For further details, see the issues at Mojarra and MyFaces: http://java.net/jira/browse/JAVASERVERFACES-2247 and https://issues.apache.org/jira/browse/MYFACES-3405
Until this is fixed you should avoid using includeViewParams=true!