[jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-1137) Potential security issue in Seam captcha?

Gavin King (JIRA) jira-events at lists.jboss.org
Thu Jul 19 06:26:47 EDT 2007


     [ http://jira.jboss.com/jira/browse/JBSEAM-1137?page=all ]

Gavin King closed JBSEAM-1137.
------------------------------

    Resolution: Won't Fix

> Potential security issue in Seam captcha?
> -----------------------------------------
>
>                 Key: JBSEAM-1137
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-1137
>             Project: JBoss Seam
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.2.0.GA
>         Environment: Any
>            Reporter: Ian Hlavats
>
> I have been experiencing "holes" in the Seam captcha integration recently (eg. spam is getting through).
> The Seam documentation (section 21.1.1) recommends client-side state saving for JSF.
> The following scenario should point out a potential security issue with this approach.
> Suppose I have a JSF page with a typical user comment form on it that does not use Seam's captcha component. 
> Now a malicious user scrapes my JSF page and stores a local copy on his computer, serialized UI component tree and all.
> In the meantime, I add Seam's captcha component to my JSF page, trusting it to cause a validation error when the form is submitted without the correct captcha text.
> Can the malicious user now submit the previous copy of my form without the captcha component in the tree?
> I am using the MyFaces 1.1.4 JSF implementation.
> Thanks.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        



More information about the seam-issues mailing list