Hi, > Currently we are not in a position to update to 1.1.8 as the change would > require a upgrade of legacy software. > > With just 1.1.5,based on the below, it has been mentioned that it is ok to > use "Server" for state saving. Based on this, can you clarify that > encryption is not required for server state saving. >
No, unfortunately this is very unsafe - one should never use myfaces with unencrypted ViewState. An attacker can exploit the (useless, as it's a simple string) deserialization of a crafted ViewState token that MyFaces performs. This is almost certainly exploitable for remote code execution (<https://issues.apache.org/jira/browse/MYFACES-4021>). regards Moritz -- AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731 Persönlich haftend: Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820, Vertreten durch Joachim Keltsch