Apache MyFaces 2.0 / 2.1 Information Disclosure

`--------------------------------------------------------------------------------------------------  
CVE-2011-4343: Apache MyFaces information disclosure vulnerability  
  
Severity: Important  
  
Vendor: The Apache Software Foundation  
  
Versions Affected:  
MyFaces Core 2.0.1 to 2.0.10  
MyFaces Core 2.1.0 to 2.1.4  
  
Description:  
  
If a submit outcome includes both faces-redirect=true and  
includeViewParams=true  
(or faces-include-view-params=true alias) it is possible to inject EL  
expressions  
directly into input fields mapped as view parameters.  
  
Mitigation:  
  
2.0.x users should update to 2.0.11  
2.1.x users should update to 2.1.5  
or apply the patch available on  
https://issues.apache.org/jira/secure/attachment/12504807/MYFACES-3405-1.patch  
  
Example:  
  
Bean (request scoped):  
  
private String value; // +getter+setter  
  
public String submit() {  
String viewId = FacesContext.  
getCurrentInstance().getViewRoot().getViewId();  
return viewId + "?faces-redirect=true&includeViewParams=true";  
}  
  
View:  
  
<f:metadata>  
<f:viewParam name="value" value="#{bean.value}" />  
</f:metadata>  
<h:form>  
<h:inputText value="#{bean.value}" />  
<h:commandButton value="submit" action="#{bean.submit}" />  
</h:form>  
  
Credit: Issue reported on JAVASERVERFACES issue tracer by user BalusC,  
and reported back to MyFaces by Frederick Kämpfer.  
  
References:  
https://issues.apache.org/jira/browse/MYFACES-3405   
<https://issues.apache.org/jira/browse/MYFACES-3405>  
http://java.net/jira/browse/JAVASERVERFACES-2247   
<http://java.net/jira/browse/JAVASERVERFACES-2247>  
  
--------------------------------------------------------------------------------------------------  
  
regards,  
  
Leonardo Uribe  
`