Hi, If i use a new key in web.xml as SECRET, it could be still exposed to the Administrator on accessing the system.
Wont this cause a vulnerability ? Is there any other mechanism of storing the secret ? On Tue, Dec 20, 2016 at 6:52 PM, Moritz Bechler <bech...@agno3.eu> wrote: > Hi, > > > Thank you for clarification. Using the secret mentioned in the below page > > would suffice or there is some mechanism to generate the SECRET ? > > > > You must not use the keys specified on this page but generate your own > secret ones. An attacker using the same key can then produce a valid > ViewState token containing an exploit. Also, as noted on the security > page and by Leonardo, version up to and including 1.1.7, 1.2.8, 2.0.0 > are vulnerable to padding oracle attacks (I haven't had a close look but > I would be pretty sure that also applies to server side state saving). > That means that an attacker may be able to create such tokens without > the knowledge of the key - again allowing for the same exploits. > > So I guess there is no way to be really safe without upgrading. > > > Moritz > > PS: you also might want to consider using something stronger than DES. > > > -- > AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731 > Persönlich haftend: > Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820, > Vertreten durch Joachim Keltsch > -- ------------------------- Thanks & Regards Karthik.K.N