You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Jan Alsenz (JIRA)" <de...@myfaces.apache.org> on 2012/08/27 14:50:07 UTC
[jira] [Created] (TOMAHAWK-1633) Arbitrary Session Variable
Override using Captcha Renderer
Jan Alsenz created TOMAHAWK-1633:
------------------------------------
Summary: Arbitrary Session Variable Override using Captcha Renderer
Key: TOMAHAWK-1633
URL: https://issues.apache.org/jira/browse/TOMAHAWK-1633
Project: MyFaces Tomahawk
Issue Type: Bug
Components: Captcha
Affects Versions: 1.1.13, 1.1.14-SNAPSHOT
Reporter: Jan Alsenz
Hello!
I recently discovered, that the captcha component can be misused to override arbitrary session variables (e.g. something like "username") with random content.
The offending code is in class:
org.apache.myfaces.custom.captcha.CAPTCHARenderer
function "void renderCAPTCHA(FacesContext facesContext)"
======
String captchaSessionKeyName = requestMap.get(
CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
...
// Set the generated text in the user session.
facesContext.getExternalContext().getSessionMap().put(
captchaSessionKeyName, captchaText);
======
Example URL: <host>/org.apache.myfaces.custom.captcha.CAPTCHARenderer/?captchaSessionKeyName=username&dummyParameter=1345794661817
In most cases this is not highly critical, but there will be special cases. And the behaviour is undesirable in any case.
My suggested fix would be something like this:
======
String captchaSessionKeyName = requestMap.get(
CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
...
// Set the generated text in the user session.
facesContext.getExternalContext().getSessionMap().put(
CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME +
captchaSessionKeyName, captchaText);
======
Best Regards,
Jan
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TOMAHAWK-1633) Arbitrary Session Variable
Override using Captcha Renderer
Posted by "Leonardo Uribe (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/TOMAHAWK-1633?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13446582#comment-13446582 ]
Leonardo Uribe commented on TOMAHAWK-1633:
------------------------------------------
Attached patch with solution. It changes the default behavior of t:captcha to use a prefix for captchaSessionKeyName. I have added a web config param that enable/disable the new behavior (default true or enabled) for backward compatibility. I also added a method:
/**
* Return the value stored in session map related to captchaSessionKeyName
*
* @return
*/
public String getCaptchaSessionValue()
on AbstractCAPTCHAComponent to get the value stored in session.
If no objections, I'll commit the code soon.
> Arbitrary Session Variable Override using Captcha Renderer
> ----------------------------------------------------------
>
> Key: TOMAHAWK-1633
> URL: https://issues.apache.org/jira/browse/TOMAHAWK-1633
> Project: MyFaces Tomahawk
> Issue Type: Bug
> Components: Captcha
> Affects Versions: 1.1.13, 1.1.14-SNAPSHOT
> Reporter: Jan Alsenz
> Attachments: TOMAHAWK-1633-1.patch
>
>
> Hello!
> I recently discovered, that the captcha component can be misused to override arbitrary session variables (e.g. something like "username") with random content.
> The offending code is in class:
> org.apache.myfaces.custom.captcha.CAPTCHARenderer
> function "void renderCAPTCHA(FacesContext facesContext)"
> ======
> String captchaSessionKeyName = requestMap.get(
> CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
> ...
> // Set the generated text in the user session.
> facesContext.getExternalContext().getSessionMap().put(
> captchaSessionKeyName, captchaText);
> ======
> Example URL: <host>/org.apache.myfaces.custom.captcha.CAPTCHARenderer/?captchaSessionKeyName=username&dummyParameter=1345794661817
> In most cases this is not highly critical, but there will be special cases. And the behaviour is undesirable in any case.
> My suggested fix would be something like this:
> ======
> String captchaSessionKeyName = requestMap.get(
> CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
> ...
> // Set the generated text in the user session.
> facesContext.getExternalContext().getSessionMap().put(
> CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME +
> captchaSessionKeyName, captchaText);
> ======
> Best Regards,
> Jan
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (TOMAHAWK-1633) Arbitrary Session Variable
Override using Captcha Renderer
Posted by "Leonardo Uribe (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/TOMAHAWK-1633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leonardo Uribe resolved TOMAHAWK-1633.
--------------------------------------
Resolution: Fixed
Fix Version/s: 1.1.14-SNAPSHOT
Assignee: Leonardo Uribe
> Arbitrary Session Variable Override using Captcha Renderer
> ----------------------------------------------------------
>
> Key: TOMAHAWK-1633
> URL: https://issues.apache.org/jira/browse/TOMAHAWK-1633
> Project: MyFaces Tomahawk
> Issue Type: Bug
> Components: Captcha
> Affects Versions: 1.1.13, 1.1.14-SNAPSHOT
> Reporter: Jan Alsenz
> Assignee: Leonardo Uribe
> Fix For: 1.1.14-SNAPSHOT
>
> Attachments: TOMAHAWK-1633-1.patch
>
>
> Hello!
> I recently discovered, that the captcha component can be misused to override arbitrary session variables (e.g. something like "username") with random content.
> The offending code is in class:
> org.apache.myfaces.custom.captcha.CAPTCHARenderer
> function "void renderCAPTCHA(FacesContext facesContext)"
> ======
> String captchaSessionKeyName = requestMap.get(
> CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
> ...
> // Set the generated text in the user session.
> facesContext.getExternalContext().getSessionMap().put(
> captchaSessionKeyName, captchaText);
> ======
> Example URL: <host>/org.apache.myfaces.custom.captcha.CAPTCHARenderer/?captchaSessionKeyName=username&dummyParameter=1345794661817
> In most cases this is not highly critical, but there will be special cases. And the behaviour is undesirable in any case.
> My suggested fix would be something like this:
> ======
> String captchaSessionKeyName = requestMap.get(
> CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
> ...
> // Set the generated text in the user session.
> facesContext.getExternalContext().getSessionMap().put(
> CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME +
> captchaSessionKeyName, captchaText);
> ======
> Best Regards,
> Jan
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira