From: Jean Silva <jeanclaybr_at_yahoo.com.br>
Date: Mon, 13 Oct 2008 17:30:49 -0700 (PDT)

    Hi, all.
    I'm new in this list. I don't know if this is the right place to
report security vulnerabilities, but if it is not, please point me to the
right place.
    While I was developing a web application using NetBeans and Glassfish, I noticed that when a NumberFormatException is thrown from a JSF page, the stack trace is printed in the error page without being sanitized.
    I exploited the vulnerability using the Paros Proxy to modify a POST parameter that should be an integer, to contain the string "<script>alert('XSS');</script>".
    The full stack trace is in the lines bellow:
WARNING: For input string: "<script>alert('XSS');</script>"
java.lang.NumberFormatException: For input string: "<script>alert('XSS');</script>"
        at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
        at java.lang.Integer.parseInt(Integer.java:447)
        at java.lang.Integer.<init>(Integer.java:620)
        at test.CustomerConverter.getAsObject(CustomerConverter.java:22)
        at com.sun.faces.renderkit.html_basic.MenuRenderer.convertSelectManyValues(MenuRenderer.java:457)
        at com.sun.faces.renderkit.html_basic.MenuRenderer.convertSelectManyValuesForModel(MenuRenderer.java:320)
        at com.sun.faces.renderkit.html_basic.MenuRenderer.convertSelectManyValue(MenuRenderer.java:115)
        at com.sun.faces.renderkit.html_basic.MenuRenderer.getConvertedValue(MenuRenderer.java:297)
        at javax.faces.component.UIInput.getConvertedValue(UIInput.java:942)
        at javax.faces.component.UIInput.validate(UIInput.java:868)
        at javax.faces.component.UIInput.executeValidate(UIInput.java:1072)
        at javax.faces.component.UIInput.processValidators(UIInput.java:672)
        at javax.faces.component.UIComponentBase.processValidators(UIComponentBase.java:1058)
        at javax.faces.component.UIForm.processValidators(UIForm.java:235)
        at javax.faces.component.UIComponentBase.processValidators(UIComponentBase.java:1058)
        at javax.faces.component.UIViewRoot.processValidators(UIViewRoot.java:700)
        at com.sun.faces.lifecycle.ProcessValidationsPhase.execute(ProcessValidationsPhase.java:76)
        at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
        at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
        at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:431)
        at org.apache.catalina.core.StandardWrapperValve.preInvoke(StandardWrapperValve.java:462)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:139)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:186)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:719)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:657)
        at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:96)
        at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:187)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:719)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:657)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:651)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1030)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:142)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:719)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:657)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:651)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1030)
        at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:316)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:235)
        at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:180)
        at com.sun.grizzly.http.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:625)
        at com.sun.grizzly.http.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:562)
        at com.sun.grizzly.http.DefaultProcessorTask.process(DefaultProcessorTask.java:819)
        at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:152)
        at com.sun.enterprise.v3.services.impl.GlassfishProtocolChain.executeProtocolFilter(GlassfishProtocolChain.java:71)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:103)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:89)
        at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
        at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:67)
        at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:56)
        at com.sun.grizzly.util.WorkerThreadImpl.processTask(WorkerThreadImpl.java:325)
        at com.sun.grizzly.util.WorkerThreadImpl.run(WorkerThreadImpl.java:184)
SEVERE: JSF1054: (Phase ID: PROCESS_VALIDATIONS 3, View ID: /discountCode/Edit.jsp) Exception thrown during phase execution: javax.faces.event.PhaseEvent[source=com.sun.faces.lifecycle.LifecycleImpl_at_1133fd6]
SEVERE: StandardWrapperValve[Faces Servlet]: PWC1406: Servlet.service() for servlet Faces Servlet threw exception
java.lang.NumberFormatException: For input string: "<script>alert('XSS');</script>"
        at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
        at java.lang.Integer.parseInt(Integer.java:447)
        at java.lang.Integer.<init>(Integer.java:620)
        at test.CustomerConverter.getAsObject(CustomerConverter.java:22)
        at com.sun.faces.renderkit.html_basic.MenuRenderer.convertSelectManyValues(MenuRenderer.java:457)
        at com.sun.faces.renderkit.html_basic.MenuRenderer.convertSelectManyValuesForModel(MenuRenderer.java:320)
        at com.sun.faces.renderkit.html_basic.MenuRenderer.convertSelectManyValue(MenuRenderer.java:115)
        at com.sun.faces.renderkit.html_basic.MenuRenderer.getConvertedValue(MenuRenderer.java:297)
        at javax.faces.component.UIInput.getConvertedValue(UIInput.java:942)
        at javax.faces.component.UIInput.validate(UIInput.java:868)
        at javax.faces.component.UIInput.executeValidate(UIInput.java:1072)
        at javax.faces.component.UIInput.processValidators(UIInput.java:672)
        at javax.faces.component.UIComponentBase.processValidators(UIComponentBase.java:1058)
        at javax.faces.component.UIForm.processValidators(UIForm.java:235)
        at javax.faces.component.UIComponentBase.processValidators(UIComponentBase.java:1058)
        at javax.faces.component.UIViewRoot.processValidators(UIViewRoot.java:700)
        at com.sun.faces.lifecycle.ProcessValidationsPhase.execute(ProcessValidationsPhase.java:76)
        at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:100)
        at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:118)
        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
        at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:431)
        at org.apache.catalina.core.StandardWrapperValve.preInvoke(StandardWrapperValve.java:462)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:139)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:186)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:719)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:657)
        at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:96)
        at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:187)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:719)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:657)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:651)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1030)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:142)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:719)
        at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:657)
        at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:651)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1030)
        at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:316)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:235)
        at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:180)
        at com.sun.grizzly.http.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:625)
        at com.sun.grizzly.http.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:562)
        at com.sun.grizzly.http.DefaultProcessorTask.process(DefaultProcessorTask.java:819)
        at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:152)
        at com.sun.enterprise.v3.services.impl.GlassfishProtocolChain.executeProtocolFilter(GlassfishProtocolChain.java:71)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:103)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:89)
        at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
        at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:67)
        at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:56)
        at com.sun.grizzly.util.WorkerThreadImpl.processTask(WorkerThreadImpl.java:325)
        at com.sun.grizzly.util.WorkerThreadImpl.run(WorkerThreadImpl.java:184)

    And the page of error shows something like:

HTTP Status 500 -

type Exception report

message

descriptionThe server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: For input string: ""

root cause

java.lang.NumberFormatException: For input string: ""

note The full stack traces of the exception and its root causes are available in the GlassFish/v3 logs.
GlassFish/v3

    Two JavaScript alert messages are shown.

    I can post the source code and detailed steps to reproduce the vulnerability, if you think it would be usefull.
    Regards,

    Jean. Novos endereços, o Yahoo! que você conhece. Crie um email novo com a sua cara @ymail.com ou @rocketmail.com. http://br.new.mail.yahoo.com/addresses