[richfaces-issues] [JBoss JIRA] Updated: (RF-4712) hidden field javax.faces.ViewState is not sanitized
Gerrit Brehmer (JIRA)
jira-events at lists.jboss.org
Wed Oct 22 10:01:21 EDT 2008
[ https://jira.jboss.org/jira/browse/RF-4712?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gerrit Brehmer updated RF-4712:
-------------------------------
Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3 (was: jsf-ri 1.2_06-b02-FCS, facelets 1.1.13, RichFaces 3.1.2SP1, WindowsXP(x86_64))
Fix Version/s: (was: 3.2.0)
Affects Version/s: 3.2.2
(was: 3.1.2)
Description:
Sorry for duplicating the old bug, but I think he had the same problem...
We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting Problem:
If I attach the following at any JSF site url I get a javascript popup:
?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
I know that we could filter each request.
was:
Here is the sample facelets page in my application that produces the symptom.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:a4j="http://richfaces.org/a4j"
xmlns:rich="http://richfaces.org/rich"
xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title></title>
</head>
<body>
<f:view>
<h:form>
<rich:panel header="Simple Echo">
<h:inputText size="20" value="#{startupBean.command}" >
<a4j:support event="onkeyup" reRender="ruleTest" action="#{startupBean.doApprove}"/>
</h:inputText>
<h:outputText value="#{startupBean.result}" id="ruleTest"/>
</rich:panel>
</h:form>
</f:view>
</body>
</html>
The fist time rendered output like following,
<?xml version="1.0"?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title></title><link type="text/css" rel="stylesheet" href="/a4j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" /><script type="text/javascript" src="/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf">
</script></head>
<body><span id="j_id2:ruleTest">world</span><meta name="Ajax-Update-Ids" content="j_id2:ruleTest" /><span id="ajax-view-state"><input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="_id2" /></span><meta id="Ajax-Response" name="Ajax-Response" content="true" /></body>
</html>
When the javax.faces.ViewState hidden param injection made a Post Request like below
AJAXREQUEST=_viewRoot&j_id2=j_id2&j_id2%3Aj_id4=hello&javax.faces.ViewState=_id2"<script>alert(document.cookie);</script>&j_id2%3Aj_id5=j_id2%3Aj_id5&
rendered response is
<?xml version="1.0"?>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title></title><link type="text/css" rel="stylesheet" href="/a4j_3_1_2.GAcss/panel.xcss/DATB/eAGTWzQ.BgAD.AG8.jsf" /><script type="text/javascript" src="/a4j_3_1_2.GAorg.ajax4jsf.javascript.AjaxScript.jsf">
</script></head>
<body><span id="j_id2:ruleTest">world</span><meta name="Ajax-Update-Ids" content="j_id2:ruleTest" /><span id="ajax-view-state"><input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="_id2" /><script type="text/javascript">//<![CDATA[
alert(document.cookie);
//]]>
</script>" /></span><meta id="Ajax-Response" name="Ajax-Response" content="true" /></body></html>
I'm not sure it's jsf-ri issue or richfaces, but if javax.faces.STATE_SAVING_METHOD set to client,
I couldn't reproduce the same issue.
> hidden field javax.faces.ViewState is not sanitized
> ---------------------------------------------------
>
> Key: RF-4712
> URL: https://jira.jboss.org/jira/browse/RF-4712
> Project: RichFaces
> Issue Type: Bug
> Affects Versions: 3.2.2
> Environment: jsf-ri 1.2_09-BETA1, WindowsXP, Firefox 3.0.0.3
> Reporter: Gerrit Brehmer
> Assignee: Viktor Volkov
>
> Sorry for duplicating the old bug, but I think he had the same problem...
> We had a Security Audit of our Web Portal and they found a possible Cross Site Scripting Problem:
> If I attach the following at any JSF site url I get a javascript popup:
> ?AJAXREQUEST=&javax.faces.ViewState=j_id1s"/><img+src=XX+onerror=alert(1)>
> I know that we could filter each request.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the richfaces-issues
mailing list