Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ADF Faces 12.1.2.0 Cross Site Scripting

🗓️ 15 Oct 2014 00:00:00Reported by Wolfgang EttlingerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 36 Views

Potential Cross-Site Scripting in ADF Faces 12.1.2.

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
SEC Consult Vulnerability Lab Security Advisory < 20141015-0 >  
=======================================================================  
title: Potential Cross-Site Scripting  
product: ADF Faces  
vulnerable version: 12.1.2.0  
fixed version: versions with CPU Oct-2014 patch applied  
impact: low  
homepage: http://www.oracle.com/adf  
found: 2014-05-01  
by: W. Ettlinger  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
- -------------------  
"Oracle ADF is an end-to-end Java EE framework that simplifies application  
development by providing out-of-the-box infrastructure services and a visual  
and declarative development experience."  
  
URL: http://www.oracle.com/technetwork/developer-tools/adf/overview/index.html  
  
  
Vulnerability overview/description:  
- -----------------------------------  
The ADF JSF implementation (ADF Faces) does not properly encode URLs specified  
as a target to the goButton component. As this behavior is neither intuitive  
nor documented in the component documentation [1] an application developer may  
allow a user to specify destination URLs. In such an application, an  
attacker is able to specify JavaScript code that is executed in the victims  
browser as soon as the victim clicks on the goButton component.  
  
[1] http://jdevadf.oracle.com/adf-richclient-demo/docs/tagdoc/af_goButton.html  
  
Proof of concept:  
- -----------------  
The following snippet demonstrates a vulnerable JSF page:  
  
[...]  
<af:goButton destination="#{param['url']}" text="Continue to URL"/>  
[...]  
  
If this JSF page is called using the following URL, JavaScript code is  
injected:  
  
http://<host>/<path>?test=%27*alert%28%27XSS!%27%29*%27  
  
As soon as the victim clicks on the goButton component the attackers code is  
executed.  
  
  
Vulnerable / tested versions:  
- -----------------------------  
The version 12.1.2.0 of ADF Faces was found to be vulnerable. This was the  
latest version at the time of discovery.  
  
  
Vendor contact timeline:  
- ------------------------  
2014-05-21: Contacting vendor through [email protected]  
2014-05-22: Oracle confirms receipt of the advisory and says that  
vulnerability is being investigated (BUG ID: S0454750)  
2014-05-23: Oracle states that this vulnerability (when confirmed)  
will be addressed on an upcoming CPU  
2014-06-25: Oracle confirms vulnerability, says it will be addressed  
with the next CPU  
2014-10-14: Oracle publishes the CPU  
2014-10-15: SEC Consult releases a coordinated security advisory  
  
  
Solution:  
- ---------  
Update to the newest version.  
  
More information can be found at:  
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html  
  
  
Workaround:  
- -----------  
As a workaround the "button" component can be used to replace the  
"goButton" component.  
  
  
Advisory URL:  
- -------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
Interested to work with the experts of SEC Consult?  
Write to [email protected]  
  
EOF W. Ettlinger / @2014  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (MingW32)  
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/  
  
iQEcBAEBAgAGBQJUPmRmAAoJECyFJyAEdlkKzysIAJ8Sok/wnUGhpDh/rk54f5H3  
aROuwjjho2TW3moFfFU/ppv91kXVN9jU1Vhv6RpsQjgfSVfz7wM9ywM4UpyC6c+N  
tnmmj7beqb7yqfMF69d3NiiX7caseIisimLsSFiTm13siegonLNjHBaCXVR9Rhyh  
Y1jsPy81eZIDNnw2iMUutIeIAP0tGS6G/4gA3tAiB2J4hv8DHWPUXVaFTm4SMFiQ  
L0umdzsnnGuPOHNfbPbGaonaWdtUear4v+TWc4fRzeNPAYVOmUREprR0KDWo7grk  
8UvF+eBE2nsRYicLBWuGCSCYCGMnNiJxUX9OfsL3b12yGNv5Eng4leXA/Hhkq2c=  
=LX0+  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Oct 2014 00:00Current
0.6Low risk
Vulners AI Score0.6
oracle adfjava eesecurity advisory
36