Security issue - EL injection via DynamicContentStreamer
-
- Prime
- Posts: 18616
- Joined: 05 Jan 2009, 00:21
- Location: Cybertron
- Contact:
There are plans to drop dynamiccontentstreamer and use our custom ResourceHandler to do this stuff for 3.0.
-
- Prime
- Posts: 18616
- Joined: 05 Jan 2009, 00:21
- Location: Cybertron
- Contact:
-
- Posts: 12
- Joined: 27 Apr 2011, 18:00
Glad to hear that (I would vote to reclassify as a bug or at least assign higher priority). I am still willing to send you the exploit if you are interested.There are plans to drop dynamiccontentstreamer and use our custom ResourceHandler to do this stuff for 3.0.
http://code.google.com/p/primefaces/iss ... il?id=2073
Yes, simple solution.The following code could be used to prevent the injection until this issue is resolved:
However, if one uses JSF's error handling mechanism the way the error page is also served by JSF, then the result of the exploit still might be shown.
So, in our case, we made a redirection to a page not served by JSF.
Just a heads up...
Cheers,
-
- Posts: 12
- Joined: 27 Apr 2011, 18:00
Very good point. We use JSF error pages... however the ERROR dispatch is also caught (second time) by the protecting servlet filter. We end up with showing the error page of the servlet container.However, if one uses JSF's error handling mechanism the way the error page is also served by JSF, then the result of the exploit still might be shown.
-
- Posts: 1
- Joined: 18 Jul 2017, 08:20
I assume this issue isn't fixed in the elite version 3.5.28, right?
-
- Posts: 12
- Joined: 27 Apr 2011, 18:00
If you check issue linked by Optimus (https://code.google.com/archive/p/prime ... ssues/2073), it was fixed for 3.0 release.franz.pfeifer wrote: ↑18 Jul 2017, 09:16I assume this issue isn't fixed in the elite version 3.5.28, right?
-
- Information
-
Who is online
Users browsing this forum: Google [Bot], Majestic-12 [Bot] and 28 guests