myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leonardo Uribe <lu4...@gmail.com>
Subject Re: Reg vulnerability for Server State saving
Date Mon, 19 Dec 2016 16:35:07 GMT
Hi

1.1.5 is too old. Please update to 1.1.8 or upper versions.

See https://wiki.apache.org/myfaces/Secure_Your_Application  for details.

regards,

Leonardo Uribe

2016-12-19 5:44 GMT-05:00 karthik kn <keyankay@gmail.com>:

> Hi,
> I am using myfaces-1.1.5 and using the following state saving method
>
> <context-param><param-name>javax.faces.STATE_SAVING_
> METHOD</param-name><param-value>server</param-value></context-param>
>
> However,i see that the object identifier is being sent to the server as
> following
>
> <input type="hidden" name="javax.faces.ViewState"
> id="javax.faces.ViewState"
> value="rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAN0
> AAEzcHQAJi9qc3AvaGxyL2FjX3N1YnNjcmliZXIvY3J0U2luZ2xlQUMuanNw"
> /></form>
>
> This is the serialized object identifier sent over the network
>
> We are using only https and not http.
>
> Does sending this serialized object identifier without encrypting open any
> vulnerability which the attacker could use to his/her advantage ?
>
> --
> -------------------------
> Thanks & Regards
>
> Karthik.K.N
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message