<div dir="ltr">I am available all day Tuesday so what ever time is fine.<br><br>Thanks for your help Marc.<br><br>-Jay<br><br><div class="gmail_quote">On Mon, Oct 6, 2008 at 6:55 AM, Pete Muir <span dir="ltr"><<a href="mailto:pmuir@redhat.com">pmuir@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Marc,<br>
<br>
Sounds great. I'm in the UK, so GMT+1 atm. Christian, will you join us to discuss?<br>
<br>
Best,<div><div></div><div class="Wj3C7c"><br>
<br>
On 6 Oct 2008, at 11:13, Marc Schoenefeld wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Pete,<br>
<br>
that sounds like a good plan, let's schedule some initial planning for<br>
next week, because this week I am quite busy with after-PTO workload<br>
and SOA testing. How about next tuesday? BTW, which timezone are you<br>
in, maybe we can start with a phone chat?<br>
<br>
The first things that come into my mind are JSF view state injection,<br>
XSS in all different kinds, remoting misuse, insecure servlet mappings.<br>
During this week I will catch with the current Seam codebase by<br>
findbugs-ing through it, and maybe already stumble over the one or<br>
other place to start poking into.<br>
<br>
Cheers<br>
Marc<br>
<br>
Pete Muir wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Marc,<br>
<br>
Something that we've been discussing is the idea creating a security<br>
audit checklist that will cover Seam and the ways it interacts with<br>
the outside world; initially, we want to focus on JSF, Seam Remoting<br>
(Ajax) and Servlet but we will also consider adding in WS including<br>
JAX-RS, Wicket, GWT and perhaps others, though these are what I can<br>
think off. This checklist would then be added to the Seam QA process<br>
(which is run through at release time).<br>
<br>
We were wondering if you would be able to work with us on this? My<br>
suggestion is, that as you (I hope ;-) have a good understanding of<br>
the general approaches that could be used to exploit a Seam that you<br>
would be to work with us both on an initial list of areas to focus on,<br>
and then help us develop the checklist.<br>
<br>
Let us know :)<br>
<br>
Pete<br>
</blockquote>
<br>
<br>
-- <br>
Marc Schoenefeld / Red Hat Security Response Team<br>
<br>
</blockquote>
<br>
_______________________________________________<br>
seam-dev mailing list<br>
<a href="mailto:seam-dev@lists.jboss.org" target="_blank">seam-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/seam-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/seam-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>blog: <a href="http://in.relation.to/Bloggers/Jay">http://in.relation.to/Bloggers/Jay</a><br>
</div>