[seam-issues] [JBoss JIRA] (JBSEAM-5102) CLONE - Seam examples use unencrypted client-side view state

Marek Novotny (JIRA) jira-events at lists.jboss.org
Mon May 27 04:23:06 EDT 2013 

     [ https://issues.jboss.org/browse/JBSEAM-5102?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Marek Novotny moved JBPAPP-10764 to JBSEAM-5102:
------------------------------------------------

                      Project: Seam 2  (was: JBoss Enterprise Application Platform 4 and 5)
                          Key: JBSEAM-5102  (was: JBPAPP-10764)
                     Workflow: GIT Pull Request workflow   (was: jira)
            Affects Version/s: 2.3.0.Final
                                   (was: EAP_EWP 5.1.1)
    Release Notes Docs Status:   (was: Documented as Resolved Issue)
                       Writer:   (was: ppenicka)
           Release Notes Text:   (was: Previously, Seam examples stored in <filename>JBOSS_HOME/seam/examples</filename> used unencrypted client-side view state.  This made the example applications vulnerable to cross-site scripting (XSS) attacks or execution of arbitrary Expression Language (EL) statements (CVE-2010-2087). With this update, the examples use server-side view state, which eliminates these vulnerabilities.)
                  Component/s: Examples
                                   (was: Seam)
                     Security:     (was: JBoss Internal)
                Fix Version/s: 2.3.1.CR1
                                   (was: EAP_EWP 5.2.0)
               Docs QE Status:   (was: NEW)

    
> CLONE - Seam examples use unencrypted client-side view state
> ------------------------------------------------------------
>
>                 Key: JBSEAM-5102
>                 URL: https://issues.jboss.org/browse/JBSEAM-5102
>             Project: Seam 2
>          Issue Type: Bug
>          Components: Examples
>    Affects Versions: 2.3.0.Final
>            Reporter: David Jorm
>            Assignee: Marek Novotny
>             Fix For: 2.3.1.CR1
>
>
> Some seam examples use unencrypted client-side view state. For example, on EAP 5.1.1:
> jboss-eap-5.1/seam/examples/seambay/resources/WEB-INF/web.xml
> Contains:
> <context-param>
>    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
>    <param-value>client</param-value>
> </context-param>
> But not a corresponding ClientStateSavingPassword value to enable encryption. This renders the example applications vulnerable to CVE-2010-2087:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2087
> Please either change the STATE_SAVING_METHOD to server or enable encryption:
> <env-entry>
>    <env-entry-name>ClientStateSavingPassword</env-entry-name>
>    <env-entry-type>java.lang.String</env-entry-type>
>    <env-entry-value>INSERT_YOUR_PASSWORD</env-entry-value>
> </env-entry>

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list