Uploaded image for project: 'Seam 2'
  1. Seam 2
  2. JBSEAM-4015

Security Vulnerability in booking example


    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 2.1.1.GA
    • Fix Version/s: 2.1.2.CR1
    • Component/s: Examples
    • Labels:


      It is possible to leak details (real name and username) of a previously logged in user to an un-authenticated user in the booking example. This is because the 'user' field on the SLSB authenticator is not cleared on every log in attempt.

      If an unauthenticated user gets a previously used SLSB then the 'user' field will already be set to another users details, and if their login attempt fails then the other users details will be outjected to the session. If this user then clicks the 'create account' button the username and real name fields will be pre-filled with the other users details.

      This of course depends on the SLSB pooling mechanism used by the AS, however it is easy to reproduce and it is possible to pull peoples details out of the demo hosted at exadel.com.

      Anywhere that uses SLSB's and outjection is vulnerable to similar problems unless the outjected field is set to a specific value every time.

      A framework wide approach to this problem would be to nullify all outjected fields on SLSB's after method invocation.

        Gliffy Diagrams


            Issue Links



                • Assignee:
                  norman.richards Norman Richards
                  swd847 Stuart Douglas
                • Votes:
                  0 Vote for this issue
                  1 Start watching this issue


                  • Created: