Yes, right Werner. You are safe by using server side state saving ;) Regards, Jakob
2010/6/10 Werner Punz <[email protected]> > Afair also only client side state saving is affected (please correct me if > I am wrong), server side state saving which the majority of users use, > should be safe. > > Werner > > > Am 10.06.10 08:54, schrieb Leonardo Uribe: > >> Hi >> >> The actions has been already taken. Release for myfaces core 1.1.8 and >> 1.2.9 are on the way and we are working hard to get 2.0.1 out. >> Unoficially, you can find it here: >> >> http://people.apache.org/~lu4242/myfaces129/org/apache/myfaces/core/<http://people.apache.org/%7Elu4242/myfaces129/org/apache/myfaces/core/> >> http://people.apache.org/~lu4242/myfaces118/org/apache/myfaces/core/<http://people.apache.org/%7Elu4242/myfaces118/org/apache/myfaces/core/> >> >> I hope to publish them on public maven repo soon (we already have the >> required votes). >> >> Both myfaces and mojarra only encrypt the state. What is missing is add >> a message authentication code (MAC) to the encryption to prevent this >> type of attack. >> >> The problem can be solved if users change to server side state saving, >> because on the view state only a identifier is sent and no changes on >> the component tree could be done with this configuration. >> >> I hope to update the wiki page that talks about security soon too. >> >> regards, >> >> Leonardo Uribe >> >> 2010/6/10 Mark Struberg <[email protected] <mailto:[email protected]>> >> >> >> Hi! >> >> Just got the following link over from JBoss people: >> >> http://www.theregister.co.uk/2010/06/08/padding_oracle_attack_tool/ >> >> They claim that the way we do our client side state encryption is >> flawed (as is the one of Mojarra). >> Any actions we should take? >> >> LieGrue, >> strub >> >> >> >> >> > > -- Jakob Korherr blog: http://www.jakobk.com twitter: http://twitter.com/jakobkorherr work: http://www.irian.at
