[seam-dev] DVD demo example configuration error

Pete Muir pmuir at bleepbleep.org.uk
Mon Feb 25 14:16:39 EST 2008 

These demo servers have a very out of date jboss install IIRC. And we
don't have access to it to update/restart it.

On 25/02/2008, Jay Balunas <jbalunas at redhat.com> wrote:
> Hey All,
>
>  First - The seam examples that are linked off of seamframwork.org's "See
>  Seam in Action..." section: where are they hosted?  where can I find
>  more information on them (seam version?, persistence config? etc...)?
>  and how can we change/update them?
>
>  The main reason I ask is because it appears the DVD example is having
>  some sort of persistence config issue.  Selecting "Start Shopping"
>  throws a JDBC error.  A user reported it, but I thought I remember Pete
>  saying that those demos were a little out of date.
>
>  Second - The user wanted to send me an email because he thought he saw a
>  security issue (see below) where previous users information was
>  displayed in one of the text fields.  I asked him to put a jira in and
>  that we would look into it.  Does this sound familiar to anyone?
>
>  Thanks,
>  Jay
>
>  -------- Original Message --------
>  Subject:        Re: Adam R. SeamFramework.org
>  Date:   Mon, 25 Feb 2008 10:48:25 -0500
>  From:   Jay Balunas <jbalunas at redhat.com>
>  To:     A R <adamr_98 at yahoo.com>
>  References:     <460081.70615.qm at web50906.mail.re2.yahoo.com>
>
>
>
>  Hi Adam,
>
>  Thanks for providing this information - I will take a look at the example.
>
>  But - if you could enter a jira with this information (and any other
>  info about it) that would be great. That way this can be tracked and
>  commented on.
>
>  When you say "other user sessions" do you mean other users that are
>  currently logged in, or a user that you had previously been logged in
>  as? If it is the latter - Does it appear that you are logged in as the
>  user now and can access things as that user?
>
>  Thanks,
>  Jay
>
>  A R wrote:
>  > Adam R.  SeamFramework.org
>  >
>  > jbalunas at redhat.com
>  >
>  > Hi Jay,
>  >
>  >       The on-line dvd store demo has some database
>  > configuration issues.
>  >
>  >       However, an apparent security related issue has been
>  > observed.
>  >
>  > Nutshell description: The Username text input box in
>  > the Login panel displays information entered from
>  > other users' sessions.
>  >
>  >       I've been able to reproduce this observation on
>  > numerous attempts typically in  less than five (5)
>  > minutes of "banging" on the application.
>  >
>  >       At first I thought it was just browser caching and
>  > indeed anybody else will ignore it because they will
>  > see things like "User1", "User2" etc. And make the
>  > assumption that it is the way the app is supposed to
>  > run because the instructions hint to that behavior.
>  >
>  >       I am able to consistently duplicate a test that
>  > consists of visiting the site from a connection in San
>  > Jose California, and entering the Username "sanjose".
>  > I'm then able to visit the site from a different
>  > connection, computer, and browser in Berkeley
>  > California and see "sanjose" in the Username field.
>  >
>  >       I do not have a recipe for reproducing the result. My
>  > test consists of miscellaneous "banging" on the
>  > following few items (in no order):
>  >
>  > -Entering Username and then failing the app (Start
>  > Shopping).
>  > -Many fast reloads (sometimes around 50).
>  > -Clicking on the Login and/or Create Account buttons.
>  > -Multiple tabbed sessions.
>  >
>  >       My personal concern is that, the above
>  > misconfiguration is not the reason for the security
>  > violation. It is however exposing an unexpected
>  > failure mode that might otherwise be hidden. My
>  > recommendation is not to fix the configuration issues
>  > until this failure is understood.
>  >
>  > Let me know if I can provide any additional
>  > information.
>  >
>  > Regards,
>  > AdamR.
>  >
>  >
>  >
>  >
>  >
>
>
>  _______________________________________________
>  seam-dev mailing list
>  seam-dev at lists.jboss.org
>  https://lists.jboss.org/mailman/listinfo/seam-dev
>


-- 
Pete Muir
http://in.relation.to/Bloggers/Pete
http://www.seamframework.org

More information about the seam-dev mailing list