what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Apache MyFaces Information Disclosure

Apache MyFaces Information Disclosure
Posted Feb 10, 2012
Authored by Leonardo Uribe

Apache MyFaces Core versions 2.0.1 to 2.0.11 and 2.1.0 to 2.1.5 suffer from a remote file disclosure vulnerability.

tags | exploit, remote, info disclosure
advisories | CVE-2011-4367
SHA-256 | a113b6a3cb5d4d9cc3a27c8cb2063965d3394277046397171fde1d787ec38f30

Apache MyFaces Information Disclosure

Change Mirror Download
--------------------------------------------------------------------------------------------------

CVE-2011-4367: Apache MyFaces information disclosure vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
MyFaces Core 2.0.1 to 2.0.11
MyFaces Core 2.1.0 to 2.1.5
Earlier versions are not affected

Description:

MyFaces JavaServer Faces (JSF) allows relative paths in the
javax.faces.resource 'ln' parameter or writing the url so the resource
name include '..' sequences . An attacker could use the security
vulnerability to view files that they should not be able to.

Mitigation:

Users of affected versions should apply one of the following mitigations:
MyFaces Core 2.0.x users should update to 2.0.12
MyFaces Core 2.1.x users should update to 2.1.6

Example:

In linux or similar systems:

http://<hostname>:<port>/<context-root>/faces/javax.faces.resource/web.xml?ln=../WEB-INF
http://<hostname>:<port>/<context-root>/faces/javax.faces.resource/../WEB-INF/web.xml

or in windows systems:

http://<hostname>:<port>/<context-root>/faces/javax.faces.resource/web.xml?ln=..\\WEB-INF
http://<hostname>:<port>/<context-root>/faces/javax.faces.resource/..\\WEB-INF/web.xml

The 'ln' parameter should not allow a relative path. In the above example
the contents of the web.xml are displayed in the response to the attacker.
The part of the url that derive the resource name should not allow '..' as
valid char sequence.

Credit: Issue reported by Paul Nicolucci thanks to the security team at IBM

References:

--------------------------------------------------------------------------------------------------

regards,

Leonardo Uribe
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close