[jira] [Commented] (TOMAHAWK-1633) Arbitrary Session Variable Override using Captcha Renderer

Fri, 31 Aug 2012 20:09:10 -0700 

    [ 
https://issues.apache.org/jira/browse/TOMAHAWK-1633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13446582#comment-13446582
 ] 

Leonardo Uribe commented on TOMAHAWK-1633:
------------------------------------------

Attached patch with solution. It changes the default behavior of t:captcha to 
use a prefix for captchaSessionKeyName. I have added a web config param that 
enable/disable the new behavior (default true or enabled) for backward 
compatibility. I also added a method:

    /**
     * Return the value stored in session map related to captchaSessionKeyName
     * 
     * @return 
     */
    public String getCaptchaSessionValue()

on AbstractCAPTCHAComponent to get the value stored in session. 

If no objections, I'll commit the code soon.
                
> Arbitrary Session Variable Override using Captcha Renderer
> ----------------------------------------------------------
>
>                 Key: TOMAHAWK-1633
>                 URL: https://issues.apache.org/jira/browse/TOMAHAWK-1633
>             Project: MyFaces Tomahawk
>          Issue Type: Bug
>          Components: Captcha
>    Affects Versions: 1.1.13, 1.1.14-SNAPSHOT
>            Reporter: Jan Alsenz
>         Attachments: TOMAHAWK-1633-1.patch
>
>
> Hello!
> I recently discovered, that the captcha component can be misused to override 
> arbitrary session variables (e.g. something like "username") with random 
> content.
> The offending code is in class:
> org.apache.myfaces.custom.captcha.CAPTCHARenderer
> function "void renderCAPTCHA(FacesContext facesContext)"
> ======
>             String captchaSessionKeyName = requestMap.get(
>                 
> CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
> ...
>             // Set the generated text in the user session.
>             facesContext.getExternalContext().getSessionMap().put(
>                     captchaSessionKeyName, captchaText);
> ======
> Example URL: 
> <host>/org.apache.myfaces.custom.captcha.CAPTCHARenderer/?captchaSessionKeyName=username&dummyParameter=1345794661817
> In most cases this is not highly critical, but there will be special cases. 
> And the behaviour is undesirable in any case.
> My suggested fix would be something like this:
> ======
>             String captchaSessionKeyName = requestMap.get(
>                 
> CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
> ...
>             // Set the generated text in the user session.
>             facesContext.getExternalContext().getSessionMap().put(
>                     CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME +
>                     captchaSessionKeyName, captchaText);
> ======
> Best Regards,
> Jan

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to