How to resolve JSF PrimeFaces script injection attack in JBoss Enterprise Application Platform (EAP)?
Issue
-
I notice the following requests in my access logs in either Apache httpd or JBoss EAP:
[date] "GET /faces/javax.faces.resource/dynamiccontent.properties.xhtml? ... &cmd=<linux-console-commands> HTTP/1.1" 200 <size>
Environment
- JBoss Enterprise Application Platform 6
- JBoss Enterprise Application Platform 7
- PrimeFaces (a third-party library)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.