myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leonardo Uribe (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Resolved] (TOMAHAWK-1633) Arbitrary Session Variable Override using Captcha Renderer
Date Sat, 01 Sep 2012 22:17:07 GMT

     [ https://issues.apache.org/jira/browse/TOMAHAWK-1633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Leonardo Uribe resolved TOMAHAWK-1633.
--------------------------------------

       Resolution: Fixed
    Fix Version/s: 1.1.14-SNAPSHOT
         Assignee: Leonardo Uribe
    
> Arbitrary Session Variable Override using Captcha Renderer
> ----------------------------------------------------------
>
>                 Key: TOMAHAWK-1633
>                 URL: https://issues.apache.org/jira/browse/TOMAHAWK-1633
>             Project: MyFaces Tomahawk
>          Issue Type: Bug
>          Components: Captcha
>    Affects Versions: 1.1.13, 1.1.14-SNAPSHOT
>            Reporter: Jan Alsenz
>            Assignee: Leonardo Uribe
>             Fix For: 1.1.14-SNAPSHOT
>
>         Attachments: TOMAHAWK-1633-1.patch
>
>
> Hello!
> I recently discovered, that the captcha component can be misused to override arbitrary
session variables (e.g. something like "username") with random content.
> The offending code is in class:
> org.apache.myfaces.custom.captcha.CAPTCHARenderer
> function "void renderCAPTCHA(FacesContext facesContext)"
> ======
>             String captchaSessionKeyName = requestMap.get(
>                 CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
> ...
>             // Set the generated text in the user session.
>             facesContext.getExternalContext().getSessionMap().put(
>                     captchaSessionKeyName, captchaText);
> ======
> Example URL: <host>/org.apache.myfaces.custom.captcha.CAPTCHARenderer/?captchaSessionKeyName=username&dummyParameter=1345794661817
> In most cases this is not highly critical, but there will be special cases. And the behaviour
is undesirable in any case.
> My suggested fix would be something like this:
> ======
>             String captchaSessionKeyName = requestMap.get(
>                 CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
> ...
>             // Set the generated text in the user session.
>             facesContext.getExternalContext().getSessionMap().put(
>                     CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME +
>                     captchaSessionKeyName, captchaText);
> ======
> Best Regards,
> Jan

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message