--------------------------------------------------------------------------------------------------
CVE-2011-4343: Apache MyFaces information disclosure vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
MyFaces Core 2.0.1 to 2.0.10
MyFaces Core 2.1.0 to 2.1.4
Description:
If a submit outcome includes both faces-redirect=true and
includeViewParams=true
(or faces-include-view-params=true alias) it is possible to inject EL
expressions
directly into input fields mapped as view parameters.
Mitigation:
2.0.x users should update to 2.0.11
2.1.x users should update to 2.1.5
or apply the patch available on
https://issues.apache.org/jira/secure/attachment/12504807/MYFACES-3405-1.patch
Example:
Bean (request scoped):
private String value; // +getter+setter
public String submit() {
String viewId = FacesContext.
getCurrentInstance().getViewRoot().getViewId();
return viewId + "?faces-redirect=true&includeViewParams=true";
}
View:
<f:metadata>
<f:viewParam name="value" value="#{bean.value}" />
</f:metadata>
<h:form>
<h:inputText value="#{bean.value}" />
<h:commandButton value="submit" action="#{bean.submit}" />
</h:form>
Credit: Issue reported on JAVASERVERFACES issue tracer by user BalusC,
and reported back to MyFaces by Frederick Kämpfer.
References:
https://issues.apache.org/jira/browse/MYFACES-3405
http://java.net/jira/browse/JAVASERVERFACES-2247
--------------------------------------------------------------------------------------------------
regards,
Leonardo Uribe
