SEC Consult Vulnerability Lab Security Advisory < 20141015-0 > ======================================================================= title: Potential Cross-Site Scripting product: ADF Faces vulnerable version: 12.1.2.0 fixed version: versions with CPU Oct-2014 patch applied impact: low homepage: http://www.oracle.com/adf found: 2014-05-01 by: W. Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: - ------------------- "Oracle ADF is an end-to-end Java EE framework that simplifies application development by providing out-of-the-box infrastructure services and a visual and declarative development experience." URL: http://www.oracle.com/technetwork/developer-tools/adf/overview/index.html Vulnerability overview/description: - ----------------------------------- The ADF JSF implementation (ADF Faces) does not properly encode URLs specified as a target to the goButton component. As this behavior is neither intuitive nor documented in the component documentation [1] an application developer may allow a user to specify destination URLs. In such an application, an attacker is able to specify JavaScript code that is executed in the victims browser as soon as the victim clicks on the goButton component. [1] http://jdevadf.oracle.com/adf-richclient-demo/docs/tagdoc/af_goButton.html Proof of concept: - ----------------- The following snippet demonstrates a vulnerable JSF page: [...] <af:goButton destination="#{param['url']}" text="Continue to URL"/> [...] If this JSF page is called using the following URL, JavaScript code is injected: http://<host>/<path>?test=%27*alert%28%27XSS!%27%29*%27 As soon as the victim clicks on the goButton component the attackers code is executed. Vulnerable / tested versions: - ----------------------------- The version 12.1.2.0 of ADF Faces was found to be vulnerable. This was the latest version at the time of discovery. Vendor contact timeline: - ------------------------ 2014-05-21: Contacting vendor through secalert_us@oracle.com 2014-05-22: Oracle confirms receipt of the advisory and says that vulnerability is being investigated (BUG ID: S0454750) 2014-05-23: Oracle states that this vulnerability (when confirmed) will be addressed on an upcoming CPU 2014-06-25: Oracle confirms vulnerability, says it will be addressed with the next CPU 2014-10-14: Oracle publishes the CPU 2014-10-15: SEC Consult releases a coordinated security advisory Solution: - --------- Update to the newest version. More information can be found at: http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html Workaround: - ----------- As a workaround the "button" component can be used to replace the "goButton" component. Advisory URL: - ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF W. Ettlinger / 2014