[seam-issues] [JBoss JIRA] (JBSEAM-5130) Add security warning to seam logging docs

David Jorm (JIRA) jira-events at lists.jboss.org
Thu Nov 21 06:44:05 EST 2013 

David Jorm created JBSEAM-5130:
----------------------------------

             Summary: Add security warning to seam logging docs
                 Key: JBSEAM-5130
                 URL: https://issues.jboss.org/browse/JBSEAM-5130
             Project: Seam 2
          Issue Type: Bug
          Components: Documentation Issues
    Affects Versions: 2.3.1.Final, 2.3.0.Final, 2.2.2.Final
            Reporter: David Jorm
            Priority: Critical


It has been reported that seam parses expression language (EL) statements in log messages. This is safe if used as intended - all user-provided input is supposed to be bound to a variable in the EL, conceptually similar to bound parameters in SQL. If an application did not use the Seam logging facility as intended, and included user-provided strings in log messages directly via string concatenation, then a remote attacker could use this flaw to execute arbitrary code in the context of the application server. The documentation does not highlight this issue at all, and it seems to be highly likely that some seam-based application developers would have used string concatenation with user-provided strings in log messages.

This needs to be addressed in all seam docs as a priority:
http://docs.jboss.org/seam/2.3.1.Final/reference/html_single/#d0e4185
http://docs.jboss.org/seam/2.3.0.Final/reference/en-US/html_single/#d0e4185
http://docs.jboss.org/seam/2.2.2.Final/reference/en-US/html_single/#d0e4254

I suggest adding a big red warning admonition such as:

Title: 
SECURITY WARNING: Do not use string concatenation to construct log messages

Body:
Seam logging evaluates expression language (EL) statements in log messages. This is safe if used as intended, because all user-provided input is bound to a parameter in the EL statement. If an application does not use the Seam logging facility as intended, and includes user-provided strings in log messages directly via string concatenation, then a remote attacker could inject EL statements directly into the log messages, which would be evaluated on the server. This could lead to a variety of security impacts. To protect against this issue, ensure that all user-provided input in log messages is bound to a parameter, and not included directly in log messages using string concatenation.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list