Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31254
HistoryOct 16, 2014 - 12:00 a.m.

SEC Consult SA-20141015-0 :: Potential Cross-Site Scripting in ADF Faces

2014-10-1600:00:00
vulners.com
41

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20141015-0 >

          title: Potential Cross-Site Scripting
        product: ADF Faces

vulnerable version: 12.1.2.0
fixed version: versions with CPU Oct-2014 patch applied
impact: low
homepage: http://www.oracle.com/adf
found: 2014-05-01
by: W. Ettlinger
SEC Consult Vulnerability Lab
https://www.sec-consult.com

Vendor description:


"Oracle ADF is an end-to-end Java EE framework that simplifies application
development by providing out-of-the-box infrastructure services and a visual
and declarative development experience."

URL: http://www.oracle.com/technetwork/developer-tools/adf/overview/index.html

Vulnerability overview/description:


The ADF JSF implementation (ADF Faces) does not properly encode URLs specified
as a target to the goButton component. As this behavior is neither intuitive
nor documented in the component documentation [1] an application developer may
allow a user to specify destination URLs. In such an application, an
attacker is able to specify JavaScript code that is executed in the victims
browser as soon as the victim clicks on the goButton component.

[1] http://jdevadf.oracle.com/adf-richclient-demo/docs/tagdoc/af_goButton.html

Proof of concept:


The following snippet demonstrates a vulnerable JSF page:

[…]
<af:goButton destination="#{param['url']}" text="Continue to URL"/>
[…]

If this JSF page is called using the following URL, JavaScript code is
injected:

http://<host>/<path>?test=%27alert%28%27XSS!%27%29%27

As soon as the victim clicks on the goButton component the attackers code is
executed.

Vulnerable / tested versions:


The version 12.1.2.0 of ADF Faces was found to be vulnerable. This was the
latest version at the time of discovery.

Vendor contact timeline:


2014-05-21: Contacting vendor through [email protected]
2014-05-22: Oracle confirms receipt of the advisory and says that
vulnerability is being investigated (BUG ID: S0454750)
2014-05-23: Oracle states that this vulnerability (when confirmed)
will be addressed on an upcoming CPU
2014-06-25: Oracle confirms vulnerability, says it will be addressed
with the next CPU
2014-10-14: Oracle publishes the CPU
2014-10-15: SEC Consult releases a coordinated security advisory

Solution:


Update to the newest version.

More information can be found at:
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Workaround:


As a workaround the "button" component can be used to replace the
"goButton" component.

Advisory URL:


https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone:   +43 1 8903043 0
Fax:     +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to [email protected]

EOF W. Ettlinger / @2014
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 &#40;MingW32&#41;
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJUPmRmAAoJECyFJyAEdlkKzysIAJ8Sok/wnUGhpDh/rk54f5H3
aROuwjjho2TW3moFfFU/ppv91kXVN9jU1Vhv6RpsQjgfSVfz7wM9ywM4UpyC6c+N
tnmmj7beqb7yqfMF69d3NiiX7caseIisimLsSFiTm13siegonLNjHBaCXVR9Rhyh
Y1jsPy81eZIDNnw2iMUutIeIAP0tGS6G/4gA3tAiB2J4hv8DHWPUXVaFTm4SMFiQ
L0umdzsnnGuPOHNfbPbGaonaWdtUear4v+TWc4fRzeNPAYVOmUREprR0KDWo7grk
8UvF+eBE2nsRYicLBWuGCSCYCGMnNiJxUX9OfsL3b12yGNv5Eng4leXA/Hhkq2c=
=LX0+
-----END PGP SIGNATURE-----