Re: Reg vulnerability for Server State saving

Hi It is in the wiki page. See org.apache.myfaces.ALGORITHM.IV web config param for details. If you want to take a look at the class where the encryption happens, see org.apache.myfaces.shared.util.StateUtils in

Re: Reg vulnerability for Server State saving

Any thoughts on the below ? On Fri, Jan 27, 2017 at 10:57 AM, karthik kn wrote: > Hi All, > We were able to update the jsf version to the lates and randomly generate > the enc key as mentioned in > https://wiki.apache.org/myfaces/Secure_Your_Application > > However, the

Re: Reg vulnerability for Server State saving

Hi All, We were able to update the jsf version to the lates and randomly generate the enc key as mentioned in https://wiki.apache.org/myfaces/Secure_Your_Application However, the Initialization vector for CBC needs to be mentioned. Can we not generate it randomly ? Is this a bug in JSF ? If i

Re: Reg vulnerability for Server State saving

Hi, i don't think there is any other way to configure it but you can still check the sources: http://svn.apache.org/viewvc/myfaces/core/branches/1.1.x/ Regards, Thomas 2016-12-23 11:21 GMT+01:00 karthik kn : > Hi All, > Any thoughts on the below ? > > On Wed, Dec 21, 2016

Re: Reg vulnerability for Server State saving

Hi All, Any thoughts on the below ? On Wed, Dec 21, 2016 at 10:22 AM, karthik kn wrote: > Hi, > If i use a new key in web.xml as SECRET, it could be still exposed to the > Administrator on accessing the system. > > Wont this cause a vulnerability ? Is there any other

Re: Reg vulnerability for Server State saving

Hi, If i use a new key in web.xml as SECRET, it could be still exposed to the Administrator on accessing the system. Wont this cause a vulnerability ? Is there any other mechanism of storing the secret ? On Tue, Dec 20, 2016 at 6:52 PM, Moritz Bechler wrote: > Hi, > > >

Re: Reg vulnerability for Server State saving

Hi, > Thank you for clarification. Using the secret mentioned in the below page > would suffice or there is some mechanism to generate the SECRET ? > You must not use the keys specified on this page but generate your own secret ones. An attacker using the same key can then produce a valid

Re: Reg vulnerability for Server State saving

Hi, Thank you for clarification. Using the secret mentioned in the below page would suffice or there is some mechanism to generate the SECRET ? https://wiki.apache.org/myfaces/Secure_Your_Application org.apache.myfaces.SECRET MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz org.apache.myfaces.ALGORITHM

Re: Reg vulnerability for Server State saving

Hi, > Currently we are not in a position to update to 1.1.8 as the change would > require a upgrade of legacy software. > > With just 1.1.5,based on the below, it has been mentioned that it is ok to > use "Server" for state saving. Based on this, can you clarify that > encryption is not required

Re: Reg vulnerability for Server State saving

Hi, Currently we are not in a position to update to 1.1.8 as the change would require a upgrade of legacy software. With just 1.1.5,based on the below, it has been mentioned that it is ok to use "Server" for state saving. Based on this, can you clarify that encryption is not required for server

Re: Reg vulnerability for Server State saving

Hi 1.1.5 is too old. Please update to 1.1.8 or upper versions. See https://wiki.apache.org/myfaces/Secure_Your_Application for details. regards, Leonardo Uribe 2016-12-19 5:44 GMT-05:00 karthik kn : > Hi, > I am using myfaces-1.1.5 and using the following state saving

Reg vulnerability for Server State saving

Hi, I am using myfaces-1.1.5 and using the following state saving method javax.faces.STATE_SAVING_METHODserver However,i see that the object identifier is being sent to the server as following This is the serialized object identifier sent over the network We are using only https and not