[jbossseam-issues] [JBoss JIRA] Created: (JBSEAM-4015) Security Vulnerability in booking example

Stuart Douglas (JIRA) jira-events at lists.jboss.org
Sun Mar 15 19:27:22 EDT 2009

Security Vulnerability in booking example

                 Key: JBSEAM-4015
                 URL: https://jira.jboss.org/jira/browse/JBSEAM-4015
             Project: Seam
          Issue Type: Bug
          Components: Examples
            Reporter: Stuart Douglas

It is possible to leak details (real name and username) of a previously logged in user to an un-authenticated user in the booking example. This is because the 'user' field on the SLSB authenticator is not cleared on every log in attempt.

If an unauthenticated user gets a previously used SLSB then the 'user' field will already be set to another users details, and if their login attempt fails then the other users details will be outjected to the session. If this user then clicks the 'create account' button the username and real name fields will be pre-filled with the other users details.

This of course depends on the SLSB pooling mechanism used by the AS, however it is easy to reproduce and it is possible to pull peoples details out of the demo hosted at exadel.com.

Anywhere that uses SLSB's and outjection is vulnerable to similar problems unless the outjected field is set to a specific value every time.

A framework wide approach to this problem would be to nullify all outjected fields on SLSB's after method invocation.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


More information about the seam-issues mailing list