Re: Reg vulnerability for Server State saving

2017-01-29 Thread karthik kn
Any thoughts on the below ? On Fri, Jan 27, 2017 at 10:57 AM, karthik kn <keyan...@gmail.com> wrote: > Hi All, > We were able to update the jsf version to the lates and randomly generate > the enc key as mentioned in > https://wiki.apache.org/myfaces/Secure_Your_Appli

Re: Reg vulnerability for Server State saving

2017-01-26 Thread karthik kn
the sources: http://svn.apache.org/viewvc/ > myfaces/core/branches/1.1.x/ > > Regards, > Thomas > > 2016-12-23 11:21 GMT+01:00 karthik kn <keyan...@gmail.com>: > > > Hi All, > > Any thoughts on the below ? > > > > On Wed, Dec 21, 2016 at 10:22 AM, karthik

Re: Reg vulnerability for Server State saving

2016-12-20 Thread karthik kn
Hi, If i use a new key in web.xml as SECRET, it could be still exposed to the Administrator on accessing the system. Wont this cause a vulnerability ? Is there any other mechanism of storing the secret ? On Tue, Dec 20, 2016 at 6:52 PM, Moritz Bechler wrote: > Hi, > > >

Re: Reg vulnerability for Server State saving

2016-12-20 Thread karthik kn
o old. Please update to 1.1.8 or upper versions. > > See https://wiki.apache.org/myfaces/Secure_Your_Application for details. > > regards, > > Leonardo Uribe > > 2016-12-19 5:44 GMT-05:00 karthik kn <keyan...@gmail.com>: > > > Hi, > > I am using

Re: Reg vulnerability for Server State saving

2016-12-20 Thread karthik kn
Hi, Thank you for clarification. Using the secret mentioned in the below page would suffice or there is some mechanism to generate the SECRET ? https://wiki.apache.org/myfaces/Secure_Your_Application org.apache.myfaces.SECRET MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz org.apache.myfaces.ALGORITHM

Re: Reg vulnerability for Server State saving

2016-12-23 Thread karthik kn
Hi All, Any thoughts on the below ? On Wed, Dec 21, 2016 at 10:22 AM, karthik kn <keyan...@gmail.com> wrote: > Hi, > If i use a new key in web.xml as SECRET, it could be still exposed to the > Administrator on accessing the system. > > Wont this cause a vulnerability

Reg vulnerability for Server State saving

2016-12-19 Thread karthik kn
Hi, I am using myfaces-1.1.5 and using the following state saving method javax.faces.STATE_SAVING_METHODserver However,i see that the object identifier is being sent to the server as following This is the serialized object identifier sent over the network We are using only https and not