Archive for 'security'

JSF value expression injection vulnerability

A few days ago this issue was reported to Mojarra: http://java.net/jira/browse/JAVASERVERFACES-2247.

It basically states that it is possible in JSF 2 to perform ValueExpression injection when includeViewParams is set to true on a navigation case.

To illustrate this in a better way, I created an example project at apache-extras, which shows the vulnerability: http://code.google.com/a/apache-extras.org/p/jsf-includeviewparams-security-hole-example/

Use the following steps to run the example:

1. svn checkout http://svn.codespot.com/a/apache-extras.org/jsf-includeviewparams-security-hole-example/trunk/
2. mvn clean jetty:run-exploded -PjettyConfig
3. go to http://localhost:8080/include-view-params-security and follow the instructions

This vulnerability exists, because JSF treats the value of a view parameter as a ValueExpression when performing a navigation case with includeViewParams=true. For further details, see the issues at Mojarra and MyFaces: http://java.net/jira/browse/JAVASERVERFACES-2247 and https://issues.apache.org/jira/browse/MYFACES-3405

Until this is fixed you should avoid using includeViewParams=true!

search

Search for:

blogroll

• Adam Bien
• Ali Ok
• Gerhard Petracek
• Hanspeter Dünnenberger
• Leonardo Uribe
• Mark Struberg
• Matthias Wessendorf
• Michael Kurz
• Werner Punz

archive

• November 2011
• Mai 2011
• April 2011
• Dezember 2010
• Oktober 2010
• September 2010
• August 2010
• Juni 2010
• April 2010

meta

• RSS
• Kommentare als RSS