Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 4.3.0.GA_CP09, 4.2.0.GA_CP10
Affects Version/s: 4.2.0.GA_CP09, 4.3.0.GA_CP08
Component/s: Seam
Labels:
None

Affects:

Release Notes
Release Note Text:

Hide
An input sanitization flaw was found in the way JBoss Seam processed certain parametrized JBoss Expression Language (EL) expressions. A remote attacker could use this flaw to execute parameterless methods on Seam components via a URL, containing appended, specially-crafted expression language parameters, provided to certain applications based on the JBoss Seam framework.
Red Hat would like to thank Meder Kydyraliev of the Google Security Team for responsibly reporting this issue.

Show
An input sanitization flaw was found in the way JBoss Seam processed certain parametrized JBoss Expression Language (EL) expressions. A remote attacker could use this flaw to execute parameterless methods on Seam components via a URL, containing appended, specially-crafted expression language parameters, provided to certain applications based on the JBoss Seam framework. Red Hat would like to thank Meder Kydyraliev of the Google Security Team for responsibly reporting this issue.
Release Note Status:
Documented as Resolved Issue

Description

The Seam 2.x actionOutcome parameter issue (JBPAPP-4714, JBPAPP-4717) affects also to some degree Seam 1.x. The injected code however cannot contain method parameters, so it's probably harmless, but steps to sanitize it should be taken.

For example in the booking application following code can be used to retrieve user's password (in the address bar)
http://localhost:8080/seam-booking/home.seam?actionOutcome=/x.html?password%3d%23

{user.password}

Attachments

Activity

People

Assignee:: Marek Novotny

Reporter:: Ondrej Skutka

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 2010/08/05 9:27 AM

Updated:: 2011/07/10 9:28 PM

Resolved:: 2011/07/10 9:28 PM