myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From karthik kn <keyan...@gmail.com>
Subject Re: Reg vulnerability for Server State saving
Date Wed, 21 Dec 2016 04:52:03 GMT
Hi,
If i use a new key in web.xml as SECRET, it could be still  exposed to the
Administrator on accessing the system.

Wont this cause a vulnerability ? Is there any other mechanism of storing
the secret ?

On Tue, Dec 20, 2016 at 6:52 PM, Moritz Bechler <bechler@agno3.eu> wrote:

> Hi,
>
> > Thank you for clarification. Using the secret mentioned in the below page
> > would suffice or there is some mechanism to generate the SECRET ?
> >
>
> You must not use the keys specified on this page but generate your own
> secret ones. An attacker using the same key can then produce a valid
> ViewState token containing an exploit. Also, as noted on the security
> page and by Leonardo, version up to and including 1.1.7, 1.2.8, 2.0.0
> are vulnerable to padding oracle attacks (I haven't had a close look but
> I would be pretty sure that also applies to server side state saving).
> That means that an attacker may be able to create such tokens without
> the knowledge of the key - again allowing for the same exploits.
>
> So I guess there is no way to be really safe without upgrading.
>
>
> Moritz
>
> PS: you also might want to consider using something stronger than DES.
>
>
> --
> AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731
> Persönlich haftend:
> Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820,
> Vertreten durch Joachim Keltsch
>



-- 
-------------------------
Thanks & Regards

Karthik.K.N

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message