Apache MyFaces Tomahawk JSF Framework Autoscroll Parameter Cross Site Scripting Vulnerability
TITLE: Apache MyFaces Tomahawk JSF Framework Autoscroll Parameter Cross Site Scripting Vulnerability
CLASS: Input Validation Error
CVE: CVE-2007-3101
REMOTE: Yes
LOCAL: No
PUBLISHED: Jun 14 2007 12:00AM
UPDATE: Jun 15 2007 04:39AM
CREDIT: This vulnerability was reported to iDefense by Rajat Swarup of VeriSign Global Security Consulting.
VULNERABLE:
Apache MyFaces Tomahawk 1.1.5
NOT VULNERABLE: Apache MyFaces Tomahawk 1.1.6
Vai alla pagina originale su Security Focus
Discussion
Apache Tomahawk MyFaces JSF Framework is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Exploiting this vulnerability may allow an attacker to launch cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
Exploit
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
The following proof-of-concept URI is available:
http:/;www.example.com/some_app.jsf?autoscroll=[javascript]
Solution
Solution:
The vendor has released version 1.1.6 to address this issue; please see the reference section for details.
Apache MyFaces Tomahawk 1.1.5
References
References:
Keywords for this page:
t (from google) first seen: 2007-06-29 08:33:59 hit: 20
myfaces autoscroll example (from google) first seen: 2007-07-20 11:34:35
jsf autoscroll (from google) first seen: 2007-08-19 19:03:55 hit: 23
apache myfaces tomahawk jsf framework autoscroll parameter cross site scripting vulnerability (from google) first seen: 2007-08-21 05:46:37
myfaces custom validator sample (from google) first seen: 2007-08-21 10:52:08
java jsf autoscroll (from google) first seen: 2007-08-21 11:08:10
apache tomahawk (from google) first seen: 2007-08-23 00:17:06
autoscroll jsf (from google) first seen: 2007-12-17 08:12:20 hit: 6
autoscroll myfaces (from google) first seen: 2007-12-17 15:50:02 hit: 2
jsf autoscroll example (from google) first seen: 2007-12-18 13:56:20
tomahawk 1 1 6 (from google) first seen: 2007-12-25 19:14:24
cross site scripting java server faces (from google) first seen: 2007-12-27 19:54:26
myfaces jsf (from google) first seen: 2008-01-04 11:09:15
myfaces autoscroll (from google) first seen: 2008-01-07 15:39:41 hit: 11
apache tomahawk jsf (from google) first seen: 2008-01-14 14:09:18
example how to use autoscroll in jsf (from google) first seen: 2008-01-22 11:29:23
tomahawk jsf (from google) first seen: 2008-02-06 10:03:47
tomahawk autoscroll how-to (from google) first seen: 2008-02-07 09:49:30
javascript parameter jsf sample (from google) first seen: 2008-03-19 11:40:47
preventing cross site scripting attacks in jsf (from google) first seen: 2008-03-21 12:43:07
tomahawk how to use autoscroll (from google) first seen: 2008-04-22 20:26:50 hit: 11
tomahawk how to use autoscroll (from google) first seen: 2008-04-22 20:26:49 hit: 11
autoscroll jsf version (from google) first seen: 2008-05-07 14:52:39
tomahawk autoscroll (from google) first seen: 2008-07-03 22:46:11 hit: 3
tomahawk autoscroll parameter (from google) first seen: 2008-07-07 15:17:31
myfaces autoscroll problem (from google) first seen: 2008-07-15 09:03:29
tomahawk autoscroll vulnerability (from google) first seen: 2008-07-21 01:49:27
myfaces autoscroll vulnerability (from google) first seen: 2008-07-22 08:23:06
framework jsf (from google) first seen: 2008-09-08 11:25:47
f (from google) first seen: 2008-09-19 06:11:03 hit: 5
autoscroll example tomahawk (from google) first seen: 2008-09-22 00:29:48
jsf cross site scripting support (from google) first seen: 2008-10-01 08:39:56
autoscroll in jsf (from google) first seen: 2008-10-02 08:52:03
autoscroll implementation in jsf (from google) first seen: 2008-10-02 10:12:17
GoogleBot visited this page on: 2008-11-15 19:16:46