[JBoss JIRA] (JBSEAM-5102) Seam examples use unencrypted client-side view state

Monday, 27 May 2013



     [
https://issues.jboss.org/browse/JBSEAM-5102?page=com.atlassian.jira.plugi...
]

Marek Novotny resolved JBSEAM-5102.
-----------------------------------

    Resolution: Done


fixed in seambay example
                
...
 Seam examples use unencrypted client-side view state
 ----------------------------------------------------

                 Key: JBSEAM-5102
                 URL: https://issues.jboss.org/browse/JBSEAM-5102
             Project: Seam 2
          Issue Type: Bug
          Components: Examples
    Affects Versions: 2.3.0.Final
            Reporter: David Jorm
            Assignee: Marek Novotny
             Fix For: 2.3.1.CR1


 Some seam examples use unencrypted client-side view state. For example, on EAP 5.1.1:
 jboss-eap-5.1/seam/examples/seambay/resources/WEB-INF/web.xml
 Contains:
 <context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>client</param-value>
 </context-param>
 But not a corresponding ClientStateSavingPassword value to enable encryption. This
renders the example applications vulnerable to CVE-2010-2087:
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2087
 Please either change the STATE_SAVING_METHOD to server or enable encryption:
 <env-entry>
    <env-entry-name>ClientStateSavingPassword</env-entry-name>
    <env-entry-type>java.lang.String</env-entry-type>
    <env-entry-value>INSERT_YOUR_PASSWORD</env-entry-value>
 </env-entry> 
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006