[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1137) Potential security issue in Seam captcha?

Ian Hlavats (JIRA) jira-events at lists.jboss.org
Sat Aug 11 21:36:00 EDT 2007


    [ http://jira.jboss.com/jira/browse/JBSEAM-1137?page=comments#action_12371802 ] 
            
Ian Hlavats commented on JBSEAM-1137:
-------------------------------------

Hi Matt,

Encrypting the serialized component tree will not solve the problem of stale view state.

The Sun JSF-RI team have implemented a fix for this issue. It will be available in 1.2_05.

See the following link for more info:

https://javaserverfaces.dev.java.net/issues/show_bug.cgi?id=612

Thanks,
Ian

> Potential security issue in Seam captcha?
> -----------------------------------------
>
>                 Key: JBSEAM-1137
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-1137
>             Project: JBoss Seam
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.2.0.GA
>         Environment: Any
>            Reporter: Ian Hlavats
>
> I have been experiencing "holes" in the Seam captcha integration recently (eg. spam is getting through).
> The Seam documentation (section 21.1.1) recommends client-side state saving for JSF.
> The following scenario should point out a potential security issue with this approach.
> Suppose I have a JSF page with a typical user comment form on it that does not use Seam's captcha component. 
> Now a malicious user scrapes my JSF page and stores a local copy on his computer, serialized UI component tree and all.
> In the meantime, I add Seam's captcha component to my JSF page, trusting it to cause a validation error when the form is submitted without the correct captcha text.
> Can the malicious user now submit the previous copy of my form without the captcha component in the tree?
> I am using the MyFaces 1.1.4 JSF implementation.
> Thanks.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        



More information about the seam-issues mailing list