Uploaded image for project: 'Seam 2'
  1. Seam 2
  2. JBSEAM-5102

Seam examples use unencrypted client-side view state

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 2.3.0.Final
    • Fix Version/s: 2.3.1.CR1
    • Component/s: Examples
    • Labels:
      None

      Description

      Some seam examples use unencrypted client-side view state. For example, on EAP 5.1.1:

      jboss-eap-5.1/seam/examples/seambay/resources/WEB-INF/web.xml

      Contains:

      <context-param>
      <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
      <param-value>client</param-value>
      </context-param>

      But not a corresponding ClientStateSavingPassword value to enable encryption. This renders the example applications vulnerable to CVE-2010-2087:

      https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2087

      Please either change the STATE_SAVING_METHOD to server or enable encryption:

      <env-entry>
      <env-entry-name>ClientStateSavingPassword</env-entry-name>
      <env-entry-type>java.lang.String</env-entry-type>
      <env-entry-value>INSERT_YOUR_PASSWORD</env-entry-value>
      </env-entry>

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                manaRH Marek Novotny
                Reporter:
                dfj David Jorm
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: