Add security warning to seam logging docs ----------------------------------------- Key: JBSEAM-5130 URL: https://issues.jboss.org/browse/JBSEAM-5130 Project: Seam 2 Issue Type: Bug Components: Documentation Issues Affects Versions: 2.2.2.Final, 2.3.0.Final, 2.3.1.Final Reporter: David Jorm Priority: Critical It has been reported that seam parses expression language (EL) statements in log messages. This is safe if used as intended - all user-provided input is supposed to be bound to a variable in the EL, conceptually similar to bound parameters in SQL. If an application did not use the Seam logging facility as intended, and included user-provided strings in log messages directly via string concatenation, then a remote attacker could use this flaw to execute arbitrary code in the context of the application server. The documentation does not highlight this issue at all, and it seems to be highly likely that some seam-based application developers would have used string concatenation with user-provided strings in log messages. This needs to be addressed in all seam docs as a priority: http://docs.jboss.org/seam/2.3.1.Final/reference/html_single/#d0e4185 http://docs.jboss.org/seam/2.3.0.Final/reference/en-US/html_single/#d0e4185 http://docs.jboss.org/seam/2.2.2.Final/reference/en-US/html_single/#d0e4254 I suggest adding a big red warning admonition such as: Title: SECURITY WARNING: Do not use string concatenation to construct log messages Body: Seam logging evaluates expression language (EL) statements in log messages. This is safe if used as intended, because all user-provided input is bound to a parameter in the EL statement. If an application does not use the Seam logging facility as intended, and includes user-provided strings in log messages directly via string concatenation, then a remote attacker could inject EL statements directly into the log messages, which would be evaluated on the server. This could lead to a variety of security impacts. To protect against this issue, ensure that all user-provided input in log messages is bound to a parameter, and not included directly in log messages using string concatenation.