myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Moritz Bechler <bech...@agno3.eu>
Subject Re: Reg vulnerability for Server State saving
Date Tue, 20 Dec 2016 11:04:37 GMT
Hi,

> Currently we are not in a position to update to 1.1.8 as the change would
> require a upgrade of legacy software.
> 
> With just 1.1.5,based on the below, it has been mentioned that it is ok to
> use "Server" for state saving. Based on this, can you clarify that
> encryption is not required for server state saving.
> 

No, unfortunately this is very unsafe - one should never use myfaces
with unencrypted ViewState. An attacker can exploit the (useless, as
it's a simple string) deserialization of a crafted ViewState token that
MyFaces performs. This is almost certainly exploitable for remote code
execution (<https://issues.apache.org/jira/browse/MYFACES-4021>).


regards

Moritz

-- 
AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731
Persönlich haftend:
Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820,
Vertreten durch Joachim Keltsch

Mime
View raw message