[seam-issues] [JBoss JIRA] (JBSEAM-5102) Seam examples use unencrypted client-side view state
Marek Novotny (JIRA)
jira-events at lists.jboss.org
Mon May 27 17:47:06 EDT 2013
[ https://issues.jboss.org/browse/JBSEAM-5102?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marek Novotny resolved JBSEAM-5102.
-----------------------------------
Resolution: Done
fixed in seambay example
> Seam examples use unencrypted client-side view state
> ----------------------------------------------------
>
> Key: JBSEAM-5102
> URL: https://issues.jboss.org/browse/JBSEAM-5102
> Project: Seam 2
> Issue Type: Bug
> Components: Examples
> Affects Versions: 2.3.0.Final
> Reporter: David Jorm
> Assignee: Marek Novotny
> Fix For: 2.3.1.CR1
>
>
> Some seam examples use unencrypted client-side view state. For example, on EAP 5.1.1:
> jboss-eap-5.1/seam/examples/seambay/resources/WEB-INF/web.xml
> Contains:
> <context-param>
> <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
> <param-value>client</param-value>
> </context-param>
> But not a corresponding ClientStateSavingPassword value to enable encryption. This renders the example applications vulnerable to CVE-2010-2087:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2087
> Please either change the STATE_SAVING_METHOD to server or enable encryption:
> <env-entry>
> <env-entry-name>ClientStateSavingPassword</env-entry-name>
> <env-entry-type>java.lang.String</env-entry-type>
> <env-entry-value>INSERT_YOUR_PASSWORD</env-entry-value>
> </env-entry>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list