Hi, > Thank you for clarification. Using the secret mentioned in the below page > would suffice or there is some mechanism to generate the SECRET ? >
You must not use the keys specified on this page but generate your own secret ones. An attacker using the same key can then produce a valid ViewState token containing an exploit. Also, as noted on the security page and by Leonardo, version up to and including 1.1.7, 1.2.8, 2.0.0 are vulnerable to padding oracle attacks (I haven't had a close look but I would be pretty sure that also applies to server side state saving). That means that an attacker may be able to create such tokens without the knowledge of the key - again allowing for the same exploits. So I guess there is no way to be really safe without upgrading. Moritz PS: you also might want to consider using something stronger than DES. -- AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731 Persönlich haftend: Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820, Vertreten durch Joachim Keltsch
