[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4015) Security Vulnerability in booking example
Stuart Douglas (JIRA)
jira-events at lists.jboss.org
Sun Mar 15 19:27:22 EDT 2009
Security Vulnerability in booking example
Issue Type: Bug
Reporter: Stuart Douglas
It is possible to leak details (real name and username) of a previously logged in user to an un-authenticated user in the booking example. This is because the 'user' field on the SLSB authenticator is not cleared on every log in attempt.
If an unauthenticated user gets a previously used SLSB then the 'user' field will already be set to another users details, and if their login attempt fails then the other users details will be outjected to the session. If this user then clicks the 'create account' button the username and real name fields will be pre-filled with the other users details.
This of course depends on the SLSB pooling mechanism used by the AS, however it is easy to reproduce and it is possible to pull peoples details out of the demo hosted at exadel.com.
Anywhere that uses SLSB's and outjection is vulnerable to similar problems unless the outjected field is set to a specific value every time.
A framework wide approach to this problem would be to nullify all outjected fields on SLSB's after method invocation.
This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues