Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential EL Injection #1152

Closed
n0def opened this issue Feb 15, 2016 · 22 comments

Comments

Projects
None yet
@n0def
Copy link

commented Feb 15, 2016

As already shared privately last year "/org/primefaces/application/resource/StreamedContentHandler.java" is to vulnerable to remote exploitable code execution through EL Injection

You can find more information here:
http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html

@cagataycivici

This comment has been minimized.

Copy link
Member

commented Feb 15, 2016

Thank you, do you have any suggestion for a fix?

@cagataycivici

This comment has been minimized.

Copy link
Member

commented Feb 15, 2016

Fixed via 26e44eb

Please review and reopen if necessary.

@cagataycivici cagataycivici added this to the 6.0 milestone Feb 15, 2016

@cagataycivici cagataycivici changed the title EL Injection in Primefaces 5.x Potential EL Injection Feb 15, 2016

@n0def

This comment has been minimized.

Copy link
Author

commented Feb 15, 2016

I'll check better tomorrow with our team, but the fix seems to be good

@cagataycivici

This comment has been minimized.

Copy link
Member

commented Feb 15, 2016

Here is a refactor;

21b5b63

We keep a internal map at session now, this map holds the key-expression values. Keys are sent at at url and StreamedContentHandler gets the key to evaluate it. After it this map is cleared. Keys are encrypted uuids so there is still same encryption but expressions are not exposed at url directly now.

I'd appreciate your review.

@n0def

This comment has been minimized.

Copy link
Author

commented Feb 15, 2016

This fix is a good fix, however since you are using UUID.randomUUID().toString() you don't need to encrypt the reference. You could pass the reference to the parameter as it is without encrypting it.

@cagataycivici

This comment has been minimized.

Copy link
Member

commented Feb 16, 2016

Awesome, thank you for the feedback. We'll do patch releases now.

@cagataycivici cagataycivici self-assigned this Feb 16, 2016

@kukel

This comment has been minimized.

Copy link

commented Feb 16, 2016

Great to see something like this fixed. Unfortunately only after public exposure... Bad publicity evidently works to get things done ;-)

Patch release of all 5.x community versions too? Otherwise exposure is still to big. Or just a small update jar?

@shenzizai

This comment has been minimized.

Copy link

commented May 26, 2016

hello!
I study this el injection for a long time,as i am not good at JAVA & jsp,i only can write a poc for this,could you tell me the exploit payload?
thanks!

@ng-anton

This comment has been minimized.

Copy link

commented Nov 7, 2017

does this vulnerability also affect primefaces 4.0? @cagataycivici

@tandraschko

This comment has been minimized.

Copy link
Member

commented Nov 7, 2017

Probably, but not sure. You have to check the sources.

@ng-anton

This comment has been minimized.

Copy link

commented Nov 8, 2017

@tandraschko primefaces 4.0 has a different way of handling this kind of request. primefaces 4.0 has no StreamedContentHandler.java and DynamicResourceBuilder.java. But primefaces 4.0 has PrimeResourceHandler.java that is similar to StreamedContentHandler.java. Can I safely assume that primefaces 4.0 has no of this issue?

@tandraschko

This comment has been minimized.

Copy link
Member

commented Nov 8, 2017

Nope sry, it has the same problem.

@ng-anton

This comment has been minimized.

Copy link

commented Nov 8, 2017

@tandraschko oh my... so is it sufficient if I just modify the PrimeResourceHandler.java just like StreamedContentHandler.java? What is the replacement of DynamicResourceBuilder.java in pf 4.0?

@tandraschko

This comment has been minimized.

Copy link
Member

commented Nov 8, 2017

Don't have time to help you here. The DynamicResourceBuilder logic was was in each Renderer (GraphicImage, Media and another one). I would just upgrade, we fixed also some XSS and many other bugs in the last years.

@ng-anton

This comment has been minimized.

Copy link

commented Nov 8, 2017

@tandraschko i don't have time and resources to upgrade :) even though i want to upgrade. i think i will also look into each Renderer as you mentioned. thank you very much.

@bschuette

This comment has been minimized.

Copy link

commented Dec 30, 2017

I just got CVE-2017-1000486 assigned for this issue via iwantacve.org. This will soon be published on cve.mitre.org and cvedetails.com to help people filter out vulnerable versions.

@melloware

This comment has been minimized.

Copy link
Contributor

commented Jan 16, 2018

It looks like Bitcoin Miners have found a way to exploit this bug so I highly recommend everyone upgrade to a newer patched version. https://forum.primefaces.org/viewtopic.php?f=3&t=53750

@kukel

This comment has been minimized.

Copy link

commented Jan 16, 2018

PF creating a 5.2-SR and 5.3-SR (Securit Release) would be a real, real good gesture...

See my comment almost 2 years ago: #1152 (comment)

@dataCore

This comment has been minimized.

Copy link

commented Jan 19, 2018

Temporary fix in apache config (/etc/apache2/sites-available/-ssl) by blocking (deny access) the exploit xhtml page:
<Location /javax.faces.resource/dynamiccontent.properties.xhtml>
Order allow,deny
Deny from all
</Location>

WARNING: if your page uses a functionality from 'dynamiccontent', it won't work anymore

@deathkryz

This comment has been minimized.

Copy link

commented Jan 24, 2018

I'm dealing with the same miner script

@cagataycivici

This comment has been minimized.

@SebastianLindner

This comment has been minimized.

Copy link

commented Apr 6, 2018

I wrote an article how this vulnerability can be fixed for projects, when an update is not an option. The example is for PrimeFaces 4.
https://www.illucit.com/en/java-ee/primefaces-expression-language-remote-code-execution-fix/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.