JSF value expression injection vulnerability
A few days ago this issue was reported to Mojarra: http://java.net/jira/browse/JAVASERVERFACES-2247.
It basically states that it is possible in JSF 2 to perform ValueExpression injection when includeViewParams is set to true on a navigation case.
To illustrate this in a better way, I created an example project at apache-extras, which shows the vulnerability: http://code.google.com/a/apache-extras.org/p/jsf-includeviewparams-security-hole-example/
Use the following steps to run the example:
- svn checkout http://svn.codespot.com/a/apache-extras.org/jsf-includeviewparams-security-hole-example/trunk/
- mvn clean jetty:run-exploded -PjettyConfig
- go to http://localhost:8080/include-view-params-security and follow the instructions
This vulnerability exists, because JSF treats the value of a view parameter as a ValueExpression when performing a navigation case with includeViewParams=true. For further details, see the issues at Mojarra and MyFaces: http://java.net/jira/browse/JAVASERVERFACES-2247 and https://issues.apache.org/jira/browse/MYFACES-3405
Until this is fixed you should avoid using includeViewParams=true!
4 Replies to "JSF value expression injection vulnerability"
J2EE Video Tutorial on November 24, 2011
Thank you for this info
JSF value expression injection vulnerability | Syngu on November 24, 2011
[...] A few days ago an issue was reported to Mojarra. It basically states that it is possible in JSF 2 to perform ValueExpression injection when includeViewParams is set to true on a navigation case. This means an attacker can cause any method of any managed bean in the application to be executed. News Read the original post on DZone… [...]
djorm on November 29, 2011
Thanks for such a good write up and useful reproducer!
Jakob Korherr's Blog » JSF value expression injection vulnerability | Java EE 6 Development | Scoop.it on November 22, 2011
[...] Jakob Korherr's Blog » JSF value expression injection vulnerability [...]