[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16127498#comment-16127498 ]
Peter Stöckli edited comment on MYFACES-4133 at 8/15/17 5:36 PM: ----------------------------------------------------------------- [~tandraschko] I'm not sure if I understand your question correctly. But you're right only the ViewState-ID is sent to the client, but it's serialized as a Java object. So the abstract view from server to client is: ViewState-ID (plain) -> Java serialized VS-ID -> encrypted and signed VS-ID Now if the last part is disabled (via {{org.apache.myfaces.USE_ENCRYPTION}}, a malicious user can send back a serialized Java Object as a ViewState, which is deserialized before the server is able to recognize that it doesn't contain a valid ViewState-ID. was (Author: stockli): [~tandraschko] I'm not sure if I understand your question correctly. But your right only the ViewState-ID is sent to the client, but it's serialized as a Java object. So the abstract view from server to client is: ViewState-ID (plain) -> Java serialized VS-ID -> encrypted and signed VS-ID Now if the last part is disabled, a malicious user can send back a serialized Java Object as a ViewState, which is deserialized before the server is able to recognize that it doesn't contain a valid ViewState-ID. > Don't deserialize the client provided ViewState if the state saving method is > server > ------------------------------------------------------------------------------------ > > Key: MYFACES-4133 > URL: https://issues.apache.org/jira/browse/MYFACES-4133 > Project: MyFaces Core > Issue Type: Bug > Components: General > Affects Versions: 2.2.12 > Reporter: Peter Stöckli > > Currently the ViewState provided by the user is deserialized via Java > deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to > {{server}} (the default). > The deserialization in this case is unecessary and most likely even slower > than just sending the ViewState Id directly. > If a developer now disables the ViewState encryption by setting > {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces > security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he > might have unintentionally introduced a dangerous remote code execution (RCE) > vulnerability as described > [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html]. > This has been discussed before on [Issue > MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021]. -- This message was sent by Atlassian JIRA (v6.4.14#64029)