10:04 a.m.
hidden field javax.faces.ViewState is not sanitized
---------------------------------------------------
Key: RF-4713
URL: https://jira.jboss.org/jira/browse/RF-4713
Project: RichFaces
Issue Type: Bug
Affects Versions: 3.2.2
Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
Reporter: Gerrit Brehmer
Priority: Critical
We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting
Problem:
If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:47 p.m.
New subject: [JBoss JIRA] Commented: (RF-4713) hidden field javax.faces.ViewState is not sanitized
[
https://jira.jboss.org/jira/browse/RF-4713?page=com.atlassian.jira.plugin...
]
Nick Belaevski commented on RF-4713:
------------------------------------
Reproducible when com.sun.faces.enableRestoreView11Compatibility = true
hidden field javax.faces.ViewState is not sanitized
---------------------------------------------------
Key: RF-4713
URL: https://jira.jboss.org/jira/browse/RF-4713
Project: RichFaces
Issue Type: Bug
Affects Versions: 3.2.2
Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
Reporter: Gerrit Brehmer
Priority: Critical
Fix For: 3.3.0
We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting
Problem:
If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:47 p.m.
New subject: [JBoss JIRA] Updated: (RF-4713) hidden field javax.faces.ViewState is not sanitized
[
https://jira.jboss.org/jira/browse/RF-4713?page=com.atlassian.jira.plugin...
]
Nick Belaevski updated RF-4713:
-------------------------------
Fix Version/s: 3.3.0
Assignee: Nick Belaevski
hidden field javax.faces.ViewState is not sanitized
---------------------------------------------------
Key: RF-4713
URL: https://jira.jboss.org/jira/browse/RF-4713
Project: RichFaces
Issue Type: Bug
Affects Versions: 3.2.2
Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
Reporter: Gerrit Brehmer
Assignee: Nick Belaevski
Priority: Critical
Fix For: 3.3.0
We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting
Problem:
If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:02 a.m.
New subject: [JBoss JIRA] Commented: (RF-4713) hidden field javax.faces.ViewState is not sanitized
[
https://jira.jboss.org/jira/browse/RF-4713?page=com.atlassian.jira.plugin...
]
Gerrit Brehmer commented on RF-4713:
------------------------------------
Yes, I cannot reproduce if this parameter is disabled. We could changed this parameter
yesterday because we had fixed an internal exception handling/redirect problem. So for us
this "workaround" is enough. Thanks!
The security tests were on our Production System with an older version of our web.xml. So
in latest snapshot from our software the failure has gone!
hidden field javax.faces.ViewState is not sanitized
---------------------------------------------------
Key: RF-4713
URL: https://jira.jboss.org/jira/browse/RF-4713
Project: RichFaces
Issue Type: Bug
Affects Versions: 3.2.2
Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
Reporter: Gerrit Brehmer
Assignee: Nick Belaevski
Priority: Critical
Fix For: 3.3.0
We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting
Problem:
If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:56 a.m.
New subject: [JBoss JIRA] Work started: (RF-4713) hidden field javax.faces.ViewState is not sanitized
[
https://jira.jboss.org/jira/browse/RF-4713?page=com.atlassian.jira.plugin...
]
Work on RF-4713 started by Nick Belaevski.
hidden field javax.faces.ViewState is not sanitized
---------------------------------------------------
Key: RF-4713
URL: https://jira.jboss.org/jira/browse/RF-4713
Project: RichFaces
Issue Type: Bug
Affects Versions: 3.2.2
Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
Reporter: Gerrit Brehmer
Assignee: Nick Belaevski
Priority: Critical
Fix For: 3.3.0
We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting
Problem:
If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:57 p.m.
New subject: [JBoss JIRA] Work stopped: (RF-4713) hidden field javax.faces.ViewState is not sanitized
[
https://jira.jboss.org/jira/browse/RF-4713?page=com.atlassian.jira.plugin...
]
Work on RF-4713 stopped by Nick Belaevski.
hidden field javax.faces.ViewState is not sanitized
---------------------------------------------------
Key: RF-4713
URL: https://jira.jboss.org/jira/browse/RF-4713
Project: RichFaces
Issue Type: Bug
Affects Versions: 3.2.2
Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
Reporter: Gerrit Brehmer
Assignee: Nick Belaevski
Priority: Critical
Fix For: 3.3.0
We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting
Problem:
If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:53 a.m.
New subject: [JBoss JIRA] Work started: (RF-4713) hidden field javax.faces.ViewState is not sanitized
[
https://jira.jboss.org/jira/browse/RF-4713?page=com.atlassian.jira.plugin...
]
Work on RF-4713 started by Nick Belaevski.
hidden field javax.faces.ViewState is not sanitized
---------------------------------------------------
Key: RF-4713
URL: https://jira.jboss.org/jira/browse/RF-4713
Project: RichFaces
Issue Type: Bug
Affects Versions: 3.2.2
Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
Reporter: Gerrit Brehmer
Assignee: Nick Belaevski
Priority: Critical
Fix For: 3.3.0
We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting
Problem:
If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:05 p.m.
New subject: [JBoss JIRA] Resolved: (RF-4713) hidden field javax.faces.ViewState is not sanitized
[
https://jira.jboss.org/jira/browse/RF-4713?page=com.atlassian.jira.plugin...
]
Nick Belaevski resolved RF-4713.
--------------------------------
Resolution: Done
Assignee: Tsikhon Kuprevich (was: Nick Belaevski)
3.2.2.SR1 and 3.1.6.SR1 including the fix have been marked in SVN
hidden field javax.faces.ViewState is not sanitized
---------------------------------------------------
Key: RF-4713
URL: https://jira.jboss.org/jira/browse/RF-4713
Project: RichFaces
Issue Type: Bug
Affects Versions: 3.2.2
Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
Reporter: Gerrit Brehmer
Assignee: Tsikhon Kuprevich
Priority: Critical
Fix For: 3.3.0
We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting
Problem:
If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:56 a.m.
New subject: [JBoss JIRA] Closed: (RF-4713) hidden field javax.faces.ViewState is not sanitized
[
https://jira.jboss.org/jira/browse/RF-4713?page=com.atlassian.jira.plugin...
]
Tsikhon Kuprevich closed RF-4713.
---------------------------------
hidden field javax.faces.ViewState is not sanitized
---------------------------------------------------
Key: RF-4713
URL: https://jira.jboss.org/jira/browse/RF-4713
Project: RichFaces
Issue Type: Bug
Affects Versions: 3.2.2
Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
Reporter: Gerrit Brehmer
Assignee: Tsikhon Kuprevich
Priority: Critical
Fix For: 3.3.0
We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting
Problem:
If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:32 p.m.
New subject: [JBoss JIRA] Reopened: (RF-4713) hidden field javax.faces.ViewState is not sanitized
[
https://jira.jboss.org/jira/browse/RF-4713?page=com.atlassian.jira.plugin...
]
Dmytro Lisnichenko reopened RF-4713:
------------------------------------
hidden field javax.faces.ViewState is not sanitized
---------------------------------------------------
Key: RF-4713
URL: https://jira.jboss.org/jira/browse/RF-4713
Project: RichFaces
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 3.2.2
Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
Reporter: Gerrit Brehmer
Assignee: Tsikhon Kuprevich
Priority: Critical
Fix For: 3.3.0
We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting
Problem:
If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5440
days inactive
5915
days old
richfaces-issues@lists.jboss.org
9 comments
4 participants
participants (4)
-
Dmytro Lisnichenko (JIRA) -
Gerrit Brehmer (JIRA)
-
Nick Belaevski (JIRA)
-
Tsikhon Kuprevich (JIRA)