“JavaServer Faces technology simplifies building user interfaces for JavaServer applications. Developers can build web applications by assembling reuseable UI components in a page; connecting these components to an application data source; and wiring client-generated events to server-side event handlers. This project provides information on the continued development of the JavaServer Faces specification. JavaServer Faces (JSF) is a JCP Standard technology for authoring component based user interfaces on the Java EE platform.”
By exploiting the vulnerability documented in this advisory, an attacker can execute arbitrary scripts in the context of the web application in the victim’s browser. Besides performing arbitrary actions within the application with the victim’s account or manipulating the application’s interface, the attacker can potentially steal session tokens, redirect the victim to external pages and perform attacks against their browser.
SEC Consult recommends users to implement the available patches.
Vulnerability Overview / Description
The Mojarra implementation of JavaServer Faces (JSF) v2.2 and v2.3 lacks input validation on the javax.faces.ClientWindow parameter which can lead to reflected cross-site scripting (XSS) under certain conditions.
Mojarra JSF v2.2 and v2.3 are respectively the user interface standards for Java EE 7 and Java EE 8.
The vulnerability is not directly exploitable in Mojarra JSF v2.2 and v2.3. However, different frameworks based on this library and having a custom implementation of the Faces-Request HTTP headers for AJAX requests might be affected. PrimeFaces v6.0 is one example of a vulnerable framework.
This vulnerability affects the web applications fulfilling the following conditions:
- Usage of a framework based on Mojarra JSF v2.2 or v2.3
- Usage of AJAX requests in the web applications
- Custom implementation of the Faces-Request HTTP headers for AJAX requests
- Presence of the javax.faces.CLIENT_WINDOW_MODE context parameter set to “url” in the web.xml file:
<context-param> <param-name>javax.faces.CLIENT_WINDOW_MODE</param-name> <param-value>url</param-value> </context-param>
Proof Of Concept
In this proof of concept, the tests are based on PrimeFaces v6.0, an open source framework for JSF. Other frameworks based on Mojarra JSF 2.2 or 2.3 might also be affected.
Generate an AJAX request on the web application and intercept it.
POST /HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0 HTTP/1.1 Host: $IP Content-Length: 405 Accept: application/xml, text/xml, */*; q=0.01 Origin: $IP X-Requested-With: XMLHttpRequest Faces-Request: partial/ajax Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: JSESSIONID=2a616ef87aeed7521b02ceb4e163 Connection: close javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ViewState=7025249133904776332%3A-921340693957557245&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0
Transpose the POST parameters into GET parameters and build a new URL with it.
Strip out the javax.faces.ViewState GET parameter from the URL.
Prefix the javax.faces.ClientWindow GET parameter with the following PoC payload.
To trigger the XSS, the victim just needs to browse to the crafted link of step 4.
Vulnerable / Tested Versions
The following version has been tested:
- Mojarra JSF v2.2 included in Java EE 7
- Mojarra JSF v2.3 included in Java EE 8 has not been tested but is affected according to the vendor