From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 20 Jun 2007 18:44:16 +0200
Subject: [UNIX] Apache MyFaces Tomahawk JSF Framework Cross-Site Scripting (XSS)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070620161245.7E16B5918@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apache MyFaces Tomahawk JSF Framework Cross-Site Scripting (XSS)
------------------------------------------------------------------------
SUMMARY
Java Server Faces, <http://myfaces.apache.org/>; JSF, is "a framework used
to create server side GUI Web applications. It is comparable to the Java
Struts framework. Apache MyFaces Tomahawk is an open source implementation
of JSF. The Tomahawk version contains Apache extensions to the base
specification". Remote exploitation of an input validation vulnerability
in Apache Software Foundation's MyFaces Tomahawk JSF framework could allow
an attacker to perform a cross-site scripting (XSS) attack.
DETAILS
Vulnerable Systems:
* MyFaces Tomahawk version 1.1.5
Immune Systems:
* MyFaces Tomahawk version 1.1.6
The code responsible for parsing HTTP requests is vulnerable to an XSS
vulnerability. When parsing the 'autoscroll' parameter from a POST or GET
request, the value of this variable is directly inserted into JavaScript
that is sent back to the client. This allows an attacker to run arbitrary
JavaScript in the context of the affected domain of the MyFaces
application being targeted.
Analysis:
Successful exploitation of this vulnerability allows an attacker to
conduct an XSS attack on a user. This could allow an attacker to steal
cookies, inject content into pages, or submit requests using the user's
credentials.
To exploit this vulnerability, an attacker must use social engineering
techniques to persuade the user to click a link to a Web application that
uses MyFaces Tomahawk. In the following example, the [javascript] portion
of the request would be present unfiltered in the returned content.
http://www.vulnerable.tld/some_app.jsf?autoscroll=[javascript]
Vendore response:
The Apache Software Foundation MyFaces team has addressed this
vulnerability by releasing version 1.1.6 of MyFaces Tomahawk. More
information can be found at the following URL:
<http://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12312536&styleName=Text&projectId=12310272>; http://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12312536&styleName=Text&projectId=12310272
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3101>;
CVE-2007-3101
Disclosure Timeline:
06/05/2007 - Initial vendor notification
06/05/2007 - Initial vendor response
06/14/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com.> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=544>;
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=544
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
