Sunday, March 23, 2014

JDev/ADF sample - Alert for ADF Security - JSF 2.0 Vulnerability in ADF 11g R2

  • Alert for ADF Security - JSF 2.0 Vulnerability in ADF 11g R2. You must be concerned about your system security, if you are running ADF runtime based on ADF 11.1.2.1.0 - 11.1.2.4.0 versions. These versions are using JSF 2.0 with known security vulnerability - Two Path Traversal Defects in Oracle's JSF2 Implementation. This vulnerability allows to download full content of WEB-INF through any browser URL. There is a fix, but this fix is not applied by JDeveloper IDE automatically, when creating new ADF application. To prevent WEB-INF content download, you must set javax.faces.RESOURCE_EXCLUDES parameter in web.xml - make sure to provide all file extensions, you want to prevent to be accessible through URL.
    Download - VulnerabilityTestCase.zip

No comments: