there is an unfortunate severe security hole in the Primefaces implementation. Specifically the dynamic content feature implemented via DynamicContentStreamer phase listener allows for custom EL injection. You don't have to use dynamic content feature and still your application allows this attack.
Let me show you an example of the attack:
Assume Spring integrated application. By going to the folowing URL I am able to get the root application context:
Code: Select all
http://localhost:8080/myApp/whatever.jsf?primefacesDynamicContent=applicationScope.get(param.attr)&attr=org.springframework.web.context.WebApplicationContext.ROOT
Code: Select all
http://localhost:8080/myApp/whatever.jsf?primefacesDynamicContent=applicationScope.get(param.attr).getBean(param.bean).deleteById(param.id)&attr=org.springframework.web.context.WebApplicationContext.ROOT&bean=fooDao&id=1
So this is only for application integrated with Spring? No. The modus operandi of DynamicContentStreamer is wrong at its core. Allowing for EL injection is bad in every possible scenario. This can not be fixed without completely changing Primefaces dynamic content handling.
Unfortunately we realized this at the late project stage. So what to do before the Primefaces guys will fix this? Well, we came up with a simple workaround - we will implement custom servlet filter. This filter will check for primefacesDynamicContent request parameter. If it is present, it will just check its value against pre-defined set of regular expressions. By doing this, we will control what expressions are being used.
I think this one should be reported as a bug. What do you think?
Thanks for any reply,
Pavel Horal