From announce-return-119-apmail-myfaces-announce-archive=myfaces.apache.org@myfaces.apache.org  Mon Dec  5 15:18:42 2011
Return-Path: <announce-return-119-apmail-myfaces-announce-archive=myfaces.apache.org@myfaces.apache.org>
X-Original-To: apmail-myfaces-announce-archive@www.apache.org
Delivered-To: apmail-myfaces-announce-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 0A09772D1
	for <apmail-myfaces-announce-archive@www.apache.org>; Mon,  5 Dec 2011 15:18:42 +0000 (UTC)
Received: (qmail 59715 invoked by uid 500); 5 Dec 2011 15:18:41 -0000
Delivered-To: apmail-myfaces-announce-archive@myfaces.apache.org
Received: (qmail 59594 invoked by uid 500); 5 Dec 2011 15:18:41 -0000
Mailing-List: contact announce-help@myfaces.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@myfaces.apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@myfaces.apache.org>
List-Post: <mailto:announce@myfaces.apache.org>
List-Id: <announce.myfaces.apache.org>
Reply-To: announce@myfaces.apache.org
Delivered-To: mailing list announce@myfaces.apache.org
Delivered-To: moderator for announce@myfaces.apache.org
Received: (qmail 67540 invoked by uid 99); 5 Dec 2011 14:38:18 -0000
Message-ID: <4EDCD709.8050605@apache.org>
Date: Mon, 05 Dec 2011 09:36:57 -0500
From: Leonardo Uribe <lu4242@apache.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10
MIME-Version: 1.0
To: announce@apache.org, announce@myfaces.apache.org
CC: dev@myfaces.apache.org, users@myfaces.apache.org
Subject: [CVE-2011-4343] Apache MyFaces information disclosure vulnerability
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit

--------------------------------------------------------------------------------------------------
CVE-2011-4343: Apache MyFaces information disclosure vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
             MyFaces Core 2.0.1 to 2.0.10
             MyFaces Core 2.1.0 to 2.1.4

Description:

If a submit outcome includes both faces-redirect=true and
includeViewParams=true
(or faces-include-view-params=true alias) it is possible to inject EL
expressions
directly into input fields mapped as view parameters.

Mitigation:

2.0.x users should update to 2.0.11
2.1.x users should update to 2.1.5
or apply the patch available on
https://issues.apache.org/jira/secure/attachment/12504807/MYFACES-3405-1.patch

Example:

Bean (request scoped):

private String value; // +getter+setter

public String submit() {
  String viewId = FacesContext.
getCurrentInstance().getViewRoot().getViewId();
  return viewId + "?faces-redirect=true&amp;includeViewParams=true";
}

View:

<f:metadata>
<f:viewParam name="value" value="#{bean.value}" />
</f:metadata>
<h:form>
<h:inputText value="#{bean.value}" />
<h:commandButton value="submit" action="#{bean.submit}" />
</h:form>

Credit: Issue reported on JAVASERVERFACES issue tracer by user BalusC,
and reported back to MyFaces by Frederick Kämpfer.

References:
https://issues.apache.org/jira/browse/MYFACES-3405
http://java.net/jira/browse/JAVASERVERFACES-2247

--------------------------------------------------------------------------------------------------

regards,

Leonardo Uribe