Mailing-List: contact users-help@myfaces.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "MyFaces Discussion" <users@myfaces.apache.org>
MIME-Version: 1.0
In-Reply-To: <CABujnVcsYvazCHWFm40gY9tLp7suUmNeAmYq1LJPQ3S0875-9Q@mail.gmail.com>
References: <CAHfHB4HfMT67ZVEzQ_P_DxBgwzoV75ObE_wOE8dpDm4BA8bxXA@mail.gmail.com>
 <CABujnVcsYvazCHWFm40gY9tLp7suUmNeAmYq1LJPQ3S0875-9Q@mail.gmail.com>
From: karthik kn <keyankay@gmail.com>
Date: Tue, 20 Dec 2016 15:24:47 +0530
Message-ID: <CAHfHB4EwXKWy=tVUgeLDmYT--u66cVyAPvy9K-vA1Qx9Dw+6Gw@mail.gmail.com>
Subject: Re: Reg vulnerability for Server State saving
To: MyFaces Discussion <users@myfaces.apache.org>
Content-Type: multipart/alternative; boundary=089e01227936d13e16054414060f
archived-at: Tue, 20 Dec 2016 09:55:04 -0000

--089e01227936d13e16054414060f
Content-Type: text/plain; charset=UTF-8

Hi,
Currently we are not in a position to update to 1.1.8 as the change would
require a upgrade of legacy software.

With just 1.1.5,based on the below, it has been mentioned that it is ok to
use "Server" for state saving. Based on this, can you clarify that
encryption is not required for server state saving.

However, in the wiki I see the following

Security configuration for Myfaces Core 1.1.7, 1.2.8, 2.0.0 and earlier

When using client side state saving, the UI object model is serialized and
rendered with the response. This is behavior controlled by the following
context parameter.

    <context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>     </context-param>

One consequence of client side state saving is that anyone with a decoder
and some time to kill can reconstruct the UI object model on the client
side. This can be a problem for those of us who make use of the excellent
t:saveState <http://myfaces.apache.org/tomahawk/uiSaveState.html> tag.

*Users of myfaces core version 1.1.7, 1.2.8, 2.0.0 and earlier MUST use
server side state saving instead to prevent padding oracle attack on view
state.*

Enabling encryption is as easy as putting the following context parameter
in your deployment descriptor. There are two things to note here. First,
this uses the default encryption algorithm, DES
<http://www.itl.nist.gov/fipspubs/fip46-2.htm>, so the secret must have a
size of eight. Second, although the secret is actually "76543210", we do
not put this directly in the deployment descriptor. Instead, we place it's
base 64 encoded value. This annoying extra step in the process is required
so that secrets are not limited to printable character values.


On Mon, Dec 19, 2016 at 10:05 PM, Leonardo Uribe <lu4242@gmail.com> wrote:

> Hi
>
> 1.1.5 is too old. Please update to 1.1.8 or upper versions.
>
> See https://wiki.apache.org/myfaces/Secure_Your_Application  for details.
>
> regards,
>
> Leonardo Uribe
>
> 2016-12-19 5:44 GMT-05:00 karthik kn <keyankay@gmail.com>:
>
> > Hi,
> > I am using myfaces-1.1.5 and using the following state saving method
> >
> > <context-param><param-name>javax.faces.STATE_SAVING_
> > METHOD</param-name><param-value>server</param-value></context-param>
> >
> > However,i see that the object identifier is being sent to the server as
> > following
> >
> > <input type="hidden" name="javax.faces.ViewState"
> > id="javax.faces.ViewState"
> > value="rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAN0
> > AAEzcHQAJi9qc3AvaGxyL2FjX3N1YnNjcmliZXIvY3J0U2luZ2xlQUMuanNw"
> > /></form>
> >
> > This is the serialized object identifier sent over the network
> >
> > We are using only https and not http.
> >
> > Does sending this serialized object identifier without encrypting open
> any
> > vulnerability which the attacker could use to his/her advantage ?
> >
> > --
> > -------------------------
> > Thanks & Regards
> >
> > Karthik.K.N
> >
>


-- 
-------------------------
Thanks & Regards

Karthik.K.N

--089e01227936d13e16054414060f--