[seam-dev] DVD demo example configuration error
Pete Muir
pmuir at bleepbleep.org.uk
Mon Feb 25 14:16:39 EST 2008
These demo servers have a very out of date jboss install IIRC. And we
don't have access to it to update/restart it.
On 25/02/2008, Jay Balunas <jbalunas at redhat.com> wrote:
> Hey All,
>
> First - The seam examples that are linked off of seamframwork.org's "See
> Seam in Action..." section: where are they hosted? where can I find
> more information on them (seam version?, persistence config? etc...)?
> and how can we change/update them?
>
> The main reason I ask is because it appears the DVD example is having
> some sort of persistence config issue. Selecting "Start Shopping"
> throws a JDBC error. A user reported it, but I thought I remember Pete
> saying that those demos were a little out of date.
>
> Second - The user wanted to send me an email because he thought he saw a
> security issue (see below) where previous users information was
> displayed in one of the text fields. I asked him to put a jira in and
> that we would look into it. Does this sound familiar to anyone?
>
> Thanks,
> Jay
>
> -------- Original Message --------
> Subject: Re: Adam R. SeamFramework.org
> Date: Mon, 25 Feb 2008 10:48:25 -0500
> From: Jay Balunas <jbalunas at redhat.com>
> To: A R <adamr_98 at yahoo.com>
> References: <460081.70615.qm at web50906.mail.re2.yahoo.com>
>
>
>
> Hi Adam,
>
> Thanks for providing this information - I will take a look at the example.
>
> But - if you could enter a jira with this information (and any other
> info about it) that would be great. That way this can be tracked and
> commented on.
>
> When you say "other user sessions" do you mean other users that are
> currently logged in, or a user that you had previously been logged in
> as? If it is the latter - Does it appear that you are logged in as the
> user now and can access things as that user?
>
> Thanks,
> Jay
>
> A R wrote:
> > Adam R. SeamFramework.org
> >
> > jbalunas at redhat.com
> >
> > Hi Jay,
> >
> > The on-line dvd store demo has some database
> > configuration issues.
> >
> > However, an apparent security related issue has been
> > observed.
> >
> > Nutshell description: The Username text input box in
> > the Login panel displays information entered from
> > other users' sessions.
> >
> > I've been able to reproduce this observation on
> > numerous attempts typically in less than five (5)
> > minutes of "banging" on the application.
> >
> > At first I thought it was just browser caching and
> > indeed anybody else will ignore it because they will
> > see things like "User1", "User2" etc. And make the
> > assumption that it is the way the app is supposed to
> > run because the instructions hint to that behavior.
> >
> > I am able to consistently duplicate a test that
> > consists of visiting the site from a connection in San
> > Jose California, and entering the Username "sanjose".
> > I'm then able to visit the site from a different
> > connection, computer, and browser in Berkeley
> > California and see "sanjose" in the Username field.
> >
> > I do not have a recipe for reproducing the result. My
> > test consists of miscellaneous "banging" on the
> > following few items (in no order):
> >
> > -Entering Username and then failing the app (Start
> > Shopping).
> > -Many fast reloads (sometimes around 50).
> > -Clicking on the Login and/or Create Account buttons.
> > -Multiple tabbed sessions.
> >
> > My personal concern is that, the above
> > misconfiguration is not the reason for the security
> > violation. It is however exposing an unexpected
> > failure mode that might otherwise be hidden. My
> > recommendation is not to fix the configuration issues
> > until this failure is understood.
> >
> > Let me know if I can provide any additional
> > information.
> >
> > Regards,
> > AdamR.
> >
> >
> >
> >
> >
>
>
> _______________________________________________
> seam-dev mailing list
> seam-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/seam-dev
>
--
Pete Muir
http://in.relation.to/Bloggers/Pete
http://www.seamframework.org
More information about the seam-dev
mailing list