Java Server Faces, JSF, is "a framework used to create server side GUI Web applications. It is comparable to the Java Struts framework. Apache MyFaces Tomahawk is an open source implementation of JSF. The Tomahawk version contains Apache extensions to the base specification". Remote exploitation of an input validation vulnerability in Apache Software Foundation's MyFaces Tomahawk JSF framework could allow an attacker to perform a cross-site scripting (XSS) attack.
Vulnerable Systems:
* MyFaces Tomahawk version 1.1.5
Immune Systems:
* MyFaces Tomahawk version 1.1.6
The code responsible for parsing HTTP requests is vulnerable to an XSS vulnerability. When parsing the 'autoscroll' parameter from a POST or GET request, the value of this variable is directly inserted into JavaScript that is sent back to the client. This allows an attacker to run arbitrary JavaScript in the context of the affected domain of the MyFaces application being targeted.
Analysis:
Successful exploitation of this vulnerability allows an attacker to conduct an XSS attack on a user. This could allow an attacker to steal cookies, inject content into pages, or submit requests using the user's credentials.
To exploit this vulnerability, an attacker must use social engineering techniques to persuade the user to click a link to a Web application that uses MyFaces Tomahawk. In the following example, the [javascript] portion of the request would be present unfiltered in the returned content.
