[
https://issues.apache.org/jira/browse/MYFACES-4021?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15114392#comment-15114392
]
Moritz Bechler commented on MYFACES-4021:
-----------------------------------------
I would still petition you to get rid of the serialization for
server-side-state saving, this is a totally unnecessary attack vector. This is
actually exploitable without any third party code as myfaces contains a usable
gadget and I'm most certain (In fact I know of a big portal that does) that
there are sites out there vulnerable to this
(org.apache.myfaces.USE_ENCRYPTION=false).
I also had a look at Mojarra and they don't seem to serialize the view state
token for server side state saving, so that must be possible.
> blacklist
> org.codehaus.groovy.runtime.,org.apache.commons.collections.functors.,org.apache.xalan
> in MyFacesObjectInputStream
> -----------------------------------------------------------------------------------------------------------------------------
>
> Key: MYFACES-4021
> URL: https://issues.apache.org/jira/browse/MYFACES-4021
> Project: MyFaces Core
> Issue Type: Bug
> Reporter: Romain Manni-Bucau
> Priority: Blocker
>
> https://github.com/apache/incubator-batchee/commit/cfd133c309c21a82fb24cfcc9a7c2365aee4678a#diff-acd0bc06477ce776b0ad8fdda76f8b7eR56
> mecanism can be used
> (due to recent vulnerability discovered in [collections], spring, groovy we
> can't suppose we don't run with these libraries so we need this fix as well)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
