598164 – (CVE-2010-2086) CVE-2010-2086 MyFaces: XSS via state view

Bug 598164 (CVE-2010-2086) - CVE-2010-2086 MyFaces: XSS via state view

Summary: CVE-2010-2086 MyFaces: XSS via state view

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-2086
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	https://www.trustwave.com/spiderlabs/...
Whiteboard:
Depends On:
Blocks:	717649
TreeView+	depends on / blocked

Reported:	2010-05-31 16:03 UTC by Jan Lieskovsky
Modified:	2024-08-27 09:04 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2011-10-13 07:24:03 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2010-05-31 16:03:41 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2086 to
the following vulnerability:

Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application
Server and other applications, does not properly handle an unencrypted
view state, which allows remote attackers to conduct cross-site
scripting (XSS) attacks or execute arbitrary Expression Language (EL)
statements via vectors that involve modifying the serialized view
object.

References:
  [1] http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf
  [2] https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt
  [3] http://myfaces.apache.org/

Comment 1 Vincent Danen 2011-04-21 17:51:02 UTC

I believe that encryption support was added in MyFaces 1.1.1, so earlier versions would not be affected by this flaw.  For instance, looking at MyFaces 1.1.0:

myfaces-1.1.0-src/share/src/java/org/apache/myfaces% grep -r -i encryption *

This yields nothing.  Yet in 1.1.4:

myfaces-core-1.1.4/source/org/apache/myfaces% grep -r -i encryption *
shared_impl/util/StateUtils.java: * <p>This Class exposes a handful of methods related to encryption,
...

Only StateUtils.java makes any mention of encryption.  So, like CVE-2010-2057, this shouldn't affect myfaces-1.1.0.

Can someone confirm please?

Comment 2 David Jorm 2011-06-23 04:32:10 UTC

From the trustwave advisory:

"When the application's view state is not encrypted, it is
possible for an attacker to supply a new or modified view
object as part of a request. The malicious view can contain
arbitrary HTML code (allowing Cross-Site Scripting), and
arbitrary Expression Language (EL) [11] statements that will
be executed on the server. The EL statements can be used to
read data stored in user-scoped session variables, and
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
uncommon to store sensitive data in them."

The problem is that we *don't* have encryption enabled for client-side viewstate. We should upgrade to myfaces >= 1.1.9.

Comment 3 David Jorm 2011-06-28 01:30:14 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
JBoss Enterprise Web Server 1.0.0 ships with Apache MyFaces 1.1.0. Apache MyFaces 1.1.0 does not support encrypted
view state. When the application's view state is not encrypted, it is possible for an attacker to supply a new or modified view object as part of a request. This allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

JBoss Enterprise Web Server 1.0.1 and later does not ship with Apache MyFaces. Upgrading to JBoss Enterprise Web Server 1.0.1 or later is recommended to mitigate this issue.

Note You need to log in before you can comment on or make changes to this bug.