Potential Cross-Site Scripting in ADF Faces

SEC Consult Vulnerability Lab Security Advisory < 20141015-0 >


title: Potential Cross-Site Scripting

product: ADF Faces

vulnerable version:

fixed version: versions with CPU Oct-2014 patch applied

impact: low

homepage: www.oracle.com/adf

found: 2014-05-01

by: W. Ettlinger

SEC Consult Vulnerability Lab




Vendor description:


"Oracle ADF is an end-to-end Java EE framework that simplifies application

development by providing out-of-the-box infrastructure services and a visual

and declarative development experience."


URL: www.oracle.com/technetwork/developer-tools/adf/overview/index.html



Vulnerability overview/description:


The ADF JSF implementation (ADF Faces) does not properly encode URLs specified

as a target to the goButton component. As this behavior is neither intuitive

nor documented in the component documentation [1] an application developer may

allow a user to specify destination URLs. In such an application, an

attacker is able to specify JavaScript code that is executed in the victims

browser as soon as the victim clicks on the goButton component.


[1] jdevadf.oracle.com/adf-richclient-demo/docs/tagdoc/af_goButton.html


Proof of concept:


The following snippet demonstrates a vulnerable JSF page:


<af:goButton destination="#{param['url']}" text="Continue to URL"/>



If this JSF page is called using the following URL, JavaScript code is



http:// <host>/<path>?test=%27*alert%28%27XSS!%27%29*%27


As soon as the victim clicks on the goButton component the attackers code is




Vulnerable / tested versions:


The version of ADF Faces was found to be vulnerable. This was the

latest version at the time of discovery.



Vendor contact timeline:


2014-05-21: Contacting vendor through secalert_us@oracle.com

2014-05-22: Oracle confirms receipt of the advisory and says that

vulnerability is being investigated (BUG ID: S0454750)

2014-05-23: Oracle states that this vulnerability (when confirmed)

will be addressed on an upcoming CPU

2014-06-25: Oracle confirms vulnerability, says it will be addressed

with the next CPU

2014-10-14: Oracle publishes the CPU

2014-10-15: SEC Consult releases a coordinated security advisory





Update to the newest version.


More information can be found at:






As a workaround the "button" component can be used to replace the

"goButton" component.



Advisory URL:






SEC Consult Vulnerability Lab


SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius



Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15


Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult


Interested to work with the experts of SEC Consult?

Write to career@sec-consult.com


EOF W. Ettlinger / @2014