[jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-1137) Potential security issue in Seam captcha?
[ http://jira.jboss.com/jira/browse/JBSEAM-1137?page=all ]
Ian Hlavats updated JBSEAM-1137:
--------------------------------
Description:
I have been experiencing "holes" in the Seam captcha integration recently (eg.
spam is getting through).
The Seam documentation (section 21.1.1) recommends client-side state saving for JSF.
The following scenario should point out a potential security issue with this approach.
Suppose I have a JSF page with a typical user comment form on it that does not use
Seam's captcha component.
Now a malicious user scrapes my JSF page and stores a local copy on his computer,
serialized UI component tree and all.
In the meantime, I add Seam's captcha component to my JSF page, trusting it to cause a
validation error when the form is submitted without the correct captcha text.
Can the malicious user can now submit the previous copy of my form without the captcha
component in the tree?
I am using the MyFaces 1.1.4 JSF implementation.
Thanks.
was:
I have been experiencing "holes" in the Seam captcha integration recently.
The Seam documentation (section 21.1.1) recommends client-side state saving for JSF.
The following scenario should point out a potential security issue with this approach.
Suppose I have a JSF page with a typical user comment form on it that does not use
Seam's captcha component.
Now a malicious user scrapes my JSF page and stores a local copy on his computer,
serialized UI component tree and all.
In the meantime, I add Seam's captcha component to my JSF page, trusting it to cause a
validation error when the form is submitted without the correct captcha text.
Can the malicious user can now submit the previous copy of my form without the captcha
component in the tree?
I am using the MyFaces 1.1.4 JSF implementation.
Thanks.
Potential security issue in Seam captcha?
-----------------------------------------
Key: JBSEAM-1137
URL: http://jira.jboss.com/jira/browse/JBSEAM-1137
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 1.2.0.GA
Environment: Any
Reporter: Ian Hlavats
I have been experiencing "holes" in the Seam captcha integration recently (eg.
spam is getting through).
The Seam documentation (section 21.1.1) recommends client-side state saving for JSF.
The following scenario should point out a potential security issue with this approach.
Suppose I have a JSF page with a typical user comment form on it that does not use
Seam's captcha component.
Now a malicious user scrapes my JSF page and stores a local copy on his computer,
serialized UI component tree and all.
In the meantime, I add Seam's captcha component to my JSF page, trusting it to cause
a validation error when the form is submitted without the correct captcha text.
Can the malicious user can now submit the previous copy of my form without the captcha
component in the tree?
I am using the MyFaces 1.1.4 JSF implementation.
Thanks.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira