Hi The actions has been already taken. Release for myfaces core 1.1.8 and 1.2.9 are on the way and we are working hard to get 2.0.1 out. Unoficially, you can find it here:
http://people.apache.org/~lu4242/myfaces129/org/apache/myfaces/core/ http://people.apache.org/~lu4242/myfaces118/org/apache/myfaces/core/ I hope to publish them on public maven repo soon (we already have the required votes). Both myfaces and mojarra only encrypt the state. What is missing is add a message authentication code (MAC) to the encryption to prevent this type of attack. The problem can be solved if users change to server side state saving, because on the view state only a identifier is sent and no changes on the component tree could be done with this configuration. I hope to update the wiki page that talks about security soon too. regards, Leonardo Uribe 2010/6/10 Mark Struberg <[email protected]> > Hi! > > Just got the following link over from JBoss people: > > http://www.theregister.co.uk/2010/06/08/padding_oracle_attack_tool/ > > They claim that the way we do our client side state encryption is flawed > (as is the one of Mojarra). > Any actions we should take? > > LieGrue, > strub > > > >
