[ 
https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16127498#comment-16127498
 ] 

Peter Stöckli edited comment on MYFACES-4133 at 8/15/17 5:36 PM:
-----------------------------------------------------------------

[~tandraschko] I'm not sure if I understand your question correctly.
But you're right only the ViewState-ID is sent to the client, but it's 
serialized as a Java object.
So the abstract view from server to client is:
ViewState-ID (plain) -> Java serialized VS-ID -> encrypted and signed VS-ID

Now if the last part is disabled (via {{org.apache.myfaces.USE_ENCRYPTION}}, a 
malicious user can send back a serialized Java Object as a ViewState, which is 
deserialized before the server is able to recognize that it doesn't contain a 
valid ViewState-ID.


was (Author: stockli):
[~tandraschko] I'm not sure if I understand your question correctly.
But your right only the ViewState-ID is sent to the client, but it's serialized 
as a Java object.
So the abstract view from server to client is:
ViewState-ID (plain) -> Java serialized VS-ID -> encrypted and signed VS-ID

Now if the last part is disabled, a malicious user can send back a serialized 
Java Object as a ViewState, which is deserialized before the server is able to 
recognize that it doesn't contain a valid ViewState-ID.

> Don't deserialize the client provided ViewState if the state saving method is 
> server
> ------------------------------------------------------------------------------------
>
>                 Key: MYFACES-4133
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4133
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: General
>    Affects Versions: 2.2.12
>            Reporter: Peter Stöckli
>
> Currently the ViewState provided by the user is deserialized via Java 
> deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to 
> {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower 
> than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting 
> {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces 
> security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he 
> might have unintentionally introduced a dangerous remote code execution (RCE) 
> vulnerability as described 
> [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue 
> MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to