Upps I should have read the full answer by Leonardo before posting. Sometimes it is not good to post before having a decent morning coffee.
Werner Am 10.06.10 09:57, schrieb Jakob Korherr:
Yes, right Werner. You are safe by using server side state saving ;) Regards, Jakob 2010/6/10 Werner Punz <[email protected] <mailto:[email protected]>> Afair also only client side state saving is affected (please correct me if I am wrong), server side state saving which the majority of users use, should be safe. Werner Am 10.06.10 08:54, schrieb Leonardo Uribe: Hi The actions has been already taken. Release for myfaces core 1.1.8 and 1.2.9 are on the way and we are working hard to get 2.0.1 out. Unoficially, you can find it here: http://people.apache.org/~lu4242/myfaces129/org/apache/myfaces/core/ <http://people.apache.org/%7Elu4242/myfaces129/org/apache/myfaces/core/> http://people.apache.org/~lu4242/myfaces118/org/apache/myfaces/core/ <http://people.apache.org/%7Elu4242/myfaces118/org/apache/myfaces/core/> I hope to publish them on public maven repo soon (we already have the required votes). Both myfaces and mojarra only encrypt the state. What is missing is add a message authentication code (MAC) to the encryption to prevent this type of attack. The problem can be solved if users change to server side state saving, because on the view state only a identifier is sent and no changes on the component tree could be done with this configuration. I hope to update the wiki page that talks about security soon too. regards, Leonardo Uribe 2010/6/10 Mark Struberg <[email protected] <mailto:[email protected]> <mailto:[email protected] <mailto:[email protected]>>> Hi! Just got the following link over from JBoss people: http://www.theregister.co.uk/2010/06/08/padding_oracle_attack_tool/ They claim that the way we do our client side state encryption is flawed (as is the one of Mojarra). Any actions we should take? LieGrue, strub -- Jakob Korherr blog: http://www.jakobk.com twitter: http://twitter.com/jakobkorherr work: http://www.irian.at
