myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From karthik kn <keyan...@gmail.com>
Subject Re: Reg vulnerability for Server State saving
Date Fri, 27 Jan 2017 05:27:06 GMT
Hi All,
We were able to update the jsf version to the lates and randomly generate
the enc key as mentioned in
https://wiki.apache.org/myfaces/Secure_Your_Application

However, the Initialization vector for CBC needs to be mentioned. Can we
not generate it randomly ?

Is this a bug in JSF ?

If i could generate the Enc key, then the IV should have been generated
randomly.

Please let know

On Fri, Dec 23, 2016 at 3:54 PM, Thomas Andraschko <
andraschko.thomas@gmail.com> wrote:

> Hi,
>
> i don't think there is any other way to configure it but you can still
> check the sources: http://svn.apache.org/viewvc/
> myfaces/core/branches/1.1.x/
>
> Regards,
> Thomas
>
> 2016-12-23 11:21 GMT+01:00 karthik kn <keyankay@gmail.com>:
>
> > Hi All,
> > Any thoughts on the below ?
> >
> > On Wed, Dec 21, 2016 at 10:22 AM, karthik kn <keyankay@gmail.com> wrote:
> >
> > > Hi,
> > > If i use a new key in web.xml as SECRET, it could be still  exposed to
> > the
> > > Administrator on accessing the system.
> > >
> > > Wont this cause a vulnerability ? Is there any other mechanism of
> storing
> > > the secret ?
> > >
> > > On Tue, Dec 20, 2016 at 6:52 PM, Moritz Bechler <bechler@agno3.eu>
> > wrote:
> > >
> > >> Hi,
> > >>
> > >> > Thank you for clarification. Using the secret mentioned in the below
> > >> page
> > >> > would suffice or there is some mechanism to generate the SECRET ?
> > >> >
> > >>
> > >> You must not use the keys specified on this page but generate your own
> > >> secret ones. An attacker using the same key can then produce a valid
> > >> ViewState token containing an exploit. Also, as noted on the security
> > >> page and by Leonardo, version up to and including 1.1.7, 1.2.8, 2.0.0
> > >> are vulnerable to padding oracle attacks (I haven't had a close look
> but
> > >> I would be pretty sure that also applies to server side state saving).
> > >> That means that an attacker may be able to create such tokens without
> > >> the knowledge of the key - again allowing for the same exploits.
> > >>
> > >> So I guess there is no way to be really safe without upgrading.
> > >>
> > >>
> > >> Moritz
> > >>
> > >> PS: you also might want to consider using something stronger than DES.
> > >>
> > >>
> > >> --
> > >> AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731
> > >> Persönlich haftend:
> > >> Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820,
> > >> Vertreten durch Joachim Keltsch
> > >>
> > >
> > >
> > >
> > > --
> > > -------------------------
> > > Thanks & Regards
> > >
> > > Karthik.K.N
> > >
> >
> >
> >
> > --
> > -------------------------
> > Thanks & Regards
> >
> > Karthik.K.N
> >
>



-- 
-------------------------
Thanks & Regards

Karthik.K.N

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message