Hi, i don't think there is any other way to configure it but you can still check the sources: http://svn.apache.org/viewvc/myfaces/core/branches/1.1.x/
Regards, Thomas 2016-12-23 11:21 GMT+01:00 karthik kn <keyan...@gmail.com>: > Hi All, > Any thoughts on the below ? > > On Wed, Dec 21, 2016 at 10:22 AM, karthik kn <keyan...@gmail.com> wrote: > > > Hi, > > If i use a new key in web.xml as SECRET, it could be still exposed to > the > > Administrator on accessing the system. > > > > Wont this cause a vulnerability ? Is there any other mechanism of storing > > the secret ? > > > > On Tue, Dec 20, 2016 at 6:52 PM, Moritz Bechler <bech...@agno3.eu> > wrote: > > > >> Hi, > >> > >> > Thank you for clarification. Using the secret mentioned in the below > >> page > >> > would suffice or there is some mechanism to generate the SECRET ? > >> > > >> > >> You must not use the keys specified on this page but generate your own > >> secret ones. An attacker using the same key can then produce a valid > >> ViewState token containing an exploit. Also, as noted on the security > >> page and by Leonardo, version up to and including 1.1.7, 1.2.8, 2.0.0 > >> are vulnerable to padding oracle attacks (I haven't had a close look but > >> I would be pretty sure that also applies to server side state saving). > >> That means that an attacker may be able to create such tokens without > >> the knowledge of the key - again allowing for the same exploits. > >> > >> So I guess there is no way to be really safe without upgrading. > >> > >> > >> Moritz > >> > >> PS: you also might want to consider using something stronger than DES. > >> > >> > >> -- > >> AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731 > >> Persönlich haftend: > >> Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820, > >> Vertreten durch Joachim Keltsch > >> > > > > > > > > -- > > ------------------------- > > Thanks & Regards > > > > Karthik.K.N > > > > > > -- > ------------------------- > Thanks & Regards > > Karthik.K.N >
