[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1137) Potential security issue in Seam captcha?
Matt Drees (JIRA)
jira-events at lists.jboss.org
Sun Aug 12 15:28:15 EDT 2007
[ http://jira.jboss.com/jira/browse/JBSEAM-1137?page=comments#action_12371809 ]
Matt Drees commented on JBSEAM-1137:
------------------------------------
Ah, interesting. Thanks.
> Potential security issue in Seam captcha?
> -----------------------------------------
>
> Key: JBSEAM-1137
> URL: http://jira.jboss.com/jira/browse/JBSEAM-1137
> Project: JBoss Seam
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.2.0.GA
> Environment: Any
> Reporter: Ian Hlavats
>
> I have been experiencing "holes" in the Seam captcha integration recently (eg. spam is getting through).
> The Seam documentation (section 21.1.1) recommends client-side state saving for JSF.
> The following scenario should point out a potential security issue with this approach.
> Suppose I have a JSF page with a typical user comment form on it that does not use Seam's captcha component.
> Now a malicious user scrapes my JSF page and stores a local copy on his computer, serialized UI component tree and all.
> In the meantime, I add Seam's captcha component to my JSF page, trusting it to cause a validation error when the form is submitted without the correct captcha text.
> Can the malicious user now submit the previous copy of my form without the captcha component in the tree?
> I am using the MyFaces 1.1.4 JSF implementation.
> Thanks.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list