Return-Path: X-Original-To: apmail-myfaces-dev-archive@www.apache.org Delivered-To: apmail-myfaces-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0AE01DA5D for ; Sat, 1 Sep 2012 22:17:08 +0000 (UTC) Received: (qmail 31242 invoked by uid 500); 1 Sep 2012 22:17:07 -0000 Delivered-To: apmail-myfaces-dev-archive@myfaces.apache.org Received: (qmail 31199 invoked by uid 500); 1 Sep 2012 22:17:07 -0000 Mailing-List: contact dev-help@myfaces.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "MyFaces Development" Delivered-To: mailing list dev@myfaces.apache.org Received: (qmail 31192 invoked by uid 99); 1 Sep 2012 22:17:07 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 01 Sep 2012 22:17:07 +0000 Date: Sun, 2 Sep 2012 09:17:07 +1100 (NCT) From: "Leonardo Uribe (JIRA)" To: dev@myfaces.apache.org Message-ID: <1119511987.27555.1346537827725.JavaMail.jiratomcat@arcas> In-Reply-To: <2045480440.1094.1346071807601.JavaMail.jiratomcat@arcas> Subject: [jira] [Resolved] (TOMAHAWK-1633) Arbitrary Session Variable Override using Captcha Renderer MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/TOMAHAWK-1633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Leonardo Uribe resolved TOMAHAWK-1633. -------------------------------------- Resolution: Fixed Fix Version/s: 1.1.14-SNAPSHOT Assignee: Leonardo Uribe > Arbitrary Session Variable Override using Captcha Renderer > ---------------------------------------------------------- > > Key: TOMAHAWK-1633 > URL: https://issues.apache.org/jira/browse/TOMAHAWK-1633 > Project: MyFaces Tomahawk > Issue Type: Bug > Components: Captcha > Affects Versions: 1.1.13, 1.1.14-SNAPSHOT > Reporter: Jan Alsenz > Assignee: Leonardo Uribe > Fix For: 1.1.14-SNAPSHOT > > Attachments: TOMAHAWK-1633-1.patch > > > Hello! > I recently discovered, that the captcha component can be misused to override arbitrary session variables (e.g. something like "username") with random content. > The offending code is in class: > org.apache.myfaces.custom.captcha.CAPTCHARenderer > function "void renderCAPTCHA(FacesContext facesContext)" > ====== > String captchaSessionKeyName = requestMap.get( > CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString(); > ... > // Set the generated text in the user session. > facesContext.getExternalContext().getSessionMap().put( > captchaSessionKeyName, captchaText); > ====== > Example URL: /org.apache.myfaces.custom.captcha.CAPTCHARenderer/?captchaSessionKeyName=username&dummyParameter=1345794661817 > In most cases this is not highly critical, but there will be special cases. And the behaviour is undesirable in any case. > My suggested fix would be something like this: > ====== > String captchaSessionKeyName = requestMap.get( > CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString(); > ... > // Set the generated text in the user session. > facesContext.getExternalContext().getSessionMap().put( > CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME + > captchaSessionKeyName, captchaText); > ====== > Best Regards, > Jan -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira