myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From karthik kn <keyan...@gmail.com>
Subject Re: Reg vulnerability for Server State saving
Date Tue, 20 Dec 2016 12:47:07 GMT
Hi,
Thank you for clarification. Using the secret mentioned in the below page
would suffice or there is some mechanism to generate the SECRET ?

https://wiki.apache.org/myfaces/Secure_Your_Application

<context-param>
<param-name>org.apache.myfaces.SECRET</param-name>
<param-value>MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz</param-value>
</context-param>    <context-param>
<param-name>org.apache.myfaces.ALGORITHM</param-name>
<param-value>AES</param-value>    </context-param>    <context-param>
      <param-name>org.apache.myfaces.ALGORITHM.PARAMETERS</param-name>
       <param-value>CBC/PKCS5Padding</param-value>    </context-param>
   <context-param>
<param-name>org.apache.myfaces.ALGORITHM.IV</param-name>
<param-value>NzY1NDMyMTA3NjU0MzIxMA==</param-value>
</context-param>


On Tue, Dec 20, 2016 at 4:34 PM, Moritz Bechler <bechler@agno3.eu> wrote:

> Hi,
>
> > Currently we are not in a position to update to 1.1.8 as the change would
> > require a upgrade of legacy software.
> >
> > With just 1.1.5,based on the below, it has been mentioned that it is ok
> to
> > use "Server" for state saving. Based on this, can you clarify that
> > encryption is not required for server state saving.
> >
>
> No, unfortunately this is very unsafe - one should never use myfaces
> with unencrypted ViewState. An attacker can exploit the (useless, as
> it's a simple string) deserialization of a crafted ViewState token that
> MyFaces performs. This is almost certainly exploitable for remote code
> execution (<https://issues.apache.org/jira/browse/MYFACES-4021>).
>
>
> regards
>
> Moritz
>
> --
> AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731
> Persönlich haftend:
> Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820,
> Vertreten durch Joachim Keltsch
>



-- 
-------------------------
Thanks & Regards

Karthik.K.N

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message