Search This Blog

Wednesday, June 20, 2007

[UNIX] Apache MyFaces Tomahawk JSF Framework Cross-Site Scripting (XSS)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Apache MyFaces Tomahawk JSF Framework Cross-Site Scripting (XSS)
------------------------------------------------------------------------


SUMMARY

Java Server Faces, <http://myfaces.apache.org/> JSF, is "a framework used
to create server side GUI Web applications. It is comparable to the Java
Struts framework. Apache MyFaces Tomahawk is an open source implementation
of JSF. The Tomahawk version contains Apache extensions to the base
specification". Remote exploitation of an input validation vulnerability
in Apache Software Foundation's MyFaces Tomahawk JSF framework could allow
an attacker to perform a cross-site scripting (XSS) attack.

DETAILS

Vulnerable Systems:
* MyFaces Tomahawk version 1.1.5

Immune Systems:
* MyFaces Tomahawk version 1.1.6

The code responsible for parsing HTTP requests is vulnerable to an XSS
vulnerability. When parsing the 'autoscroll' parameter from a POST or GET
request, the value of this variable is directly inserted into JavaScript
that is sent back to the client. This allows an attacker to run arbitrary
JavaScript in the context of the affected domain of the MyFaces
application being targeted.

Analysis:
Successful exploitation of this vulnerability allows an attacker to
conduct an XSS attack on a user. This could allow an attacker to steal
cookies, inject content into pages, or submit requests using the user's
credentials.

To exploit this vulnerability, an attacker must use social engineering
techniques to persuade the user to click a link to a Web application that
uses MyFaces Tomahawk. In the following example, the [javascript] portion
of the request would be present unfiltered in the returned content.

http://www.vulnerable.tld/some_app.jsf?autoscroll=[javascript]

Vendore response:
The Apache Software Foundation MyFaces team has addressed this
vulnerability by releasing version 1.1.6 of MyFaces Tomahawk. More
information can be found at the following URL:
<http://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12312536&styleName=Text&projectId=12310272> http://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12312536&styleName=Text&projectId=12310272

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3101>
CVE-2007-3101

Disclosure Timeline:
06/05/2007 - Initial vendor notification
06/05/2007 - Initial vendor response
06/14/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=544>

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=544

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: