[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1137) Potential security issue in Seam captcha?

Ian Hlavats (JIRA) jira-events at lists.jboss.org
Mon Apr 2 04:05:58 EDT 2007 

    [ http://jira.jboss.com/jira/browse/JBSEAM-1137?page=comments#action_12358058 ] 
            
Ian Hlavats commented on JBSEAM-1137:
-------------------------------------

Hi Christian,

Perhaps this is just a documentation issue. 

I think it would benefit other Seam users to be informed about this potential problem.

Can you update the Seam captcha documentation to include a note to the effect of, "server-side state saving is recommended for JSF applications using Seam's captcha support".

Please note that I used the JCaptcha servlet on it's own in my JSF applications before I used the Seam captcha component (combined with JSF validation) and this issue never occurred.

Thank you,
Ian

> Potential security issue in Seam captcha?
> -----------------------------------------
>
>                 Key: JBSEAM-1137
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-1137
>             Project: JBoss Seam
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.2.0.GA
>         Environment: Any
>            Reporter: Ian Hlavats
>
> I have been experiencing "holes" in the Seam captcha integration recently (eg. spam is getting through).
> The Seam documentation (section 21.1.1) recommends client-side state saving for JSF.
> The following scenario should point out a potential security issue with this approach.
> Suppose I have a JSF page with a typical user comment form on it that does not use Seam's captcha component. 
> Now a malicious user scrapes my JSF page and stores a local copy on his computer, serialized UI component tree and all.
> In the meantime, I add Seam's captcha component to my JSF page, trusting it to cause a validation error when the form is submitted without the correct captcha text.
> Can the malicious user can now submit the previous copy of my form without the captcha component in the tree?
> I am using the MyFaces 1.1.4 JSF implementation.
> Thanks.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list