Afair also only client side state saving is affected (please correct me
if I am wrong), server side state saving which the majority of users
use, should be safe.
Werner
Am 10.06.10 08:54, schrieb Leonardo Uribe:
Hi
The actions has been already taken. Release for myfaces core 1.1.8 and
1.2.9 are on the way and we are working hard to get 2.0.1 out.
Unoficially, you can find it here:
http://people.apache.org/~lu4242/myfaces129/org/apache/myfaces/core/
http://people.apache.org/~lu4242/myfaces118/org/apache/myfaces/core/
I hope to publish them on public maven repo soon (we already have the
required votes).
Both myfaces and mojarra only encrypt the state. What is missing is add
a message authentication code (MAC) to the encryption to prevent this
type of attack.
The problem can be solved if users change to server side state saving,
because on the view state only a identifier is sent and no changes on
the component tree could be done with this configuration.
I hope to update the wiki page that talks about security soon too.
regards,
Leonardo Uribe
2010/6/10 Mark Struberg <[email protected] <mailto:[email protected]>>
Hi!
Just got the following link over from JBoss people:
http://www.theregister.co.uk/2010/06/08/padding_oracle_attack_tool/
They claim that the way we do our client side state encryption is
flawed (as is the one of Mojarra).
Any actions we should take?
LieGrue,
strub
