myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Moritz Bechler <>
Subject Re: Reg vulnerability for Server State saving
Date Tue, 20 Dec 2016 13:22:20 GMT

> Thank you for clarification. Using the secret mentioned in the below page
> would suffice or there is some mechanism to generate the SECRET ?

You must not use the keys specified on this page but generate your own
secret ones. An attacker using the same key can then produce a valid
ViewState token containing an exploit. Also, as noted on the security
page and by Leonardo, version up to and including 1.1.7, 1.2.8, 2.0.0
are vulnerable to padding oracle attacks (I haven't had a close look but
I would be pretty sure that also applies to server side state saving).
That means that an attacker may be able to create such tokens without
the knowledge of the key - again allowing for the same exploits.

So I guess there is no way to be really safe without upgrading.


PS: you also might want to consider using something stronger than DES.

AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731
Persönlich haftend:
Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820,
Vertreten durch Joachim Keltsch

View raw message