You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Leonardo Uribe (JIRA)" <de...@myfaces.apache.org> on 2012/09/02 00:17:07 UTC

[jira] [Resolved] (TOMAHAWK-1633) Arbitrary Session Variable Override using Captcha Renderer

     [ https://issues.apache.org/jira/browse/TOMAHAWK-1633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leonardo Uribe resolved TOMAHAWK-1633.
--------------------------------------

       Resolution: Fixed
    Fix Version/s: 1.1.14-SNAPSHOT
         Assignee: Leonardo Uribe
    
> Arbitrary Session Variable Override using Captcha Renderer
> ----------------------------------------------------------
>
>                 Key: TOMAHAWK-1633
>                 URL: https://issues.apache.org/jira/browse/TOMAHAWK-1633
>             Project: MyFaces Tomahawk
>          Issue Type: Bug
>          Components: Captcha
>    Affects Versions: 1.1.13, 1.1.14-SNAPSHOT
>            Reporter: Jan Alsenz
>            Assignee: Leonardo Uribe
>             Fix For: 1.1.14-SNAPSHOT
>
>         Attachments: TOMAHAWK-1633-1.patch
>
>
> Hello!
> I recently discovered, that the captcha component can be misused to override arbitrary session variables (e.g. something like "username") with random content.
> The offending code is in class:
> org.apache.myfaces.custom.captcha.CAPTCHARenderer
> function "void renderCAPTCHA(FacesContext facesContext)"
> ======
>             String captchaSessionKeyName = requestMap.get(
>                 CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
> ...
>             // Set the generated text in the user session.
>             facesContext.getExternalContext().getSessionMap().put(
>                     captchaSessionKeyName, captchaText);
> ======
> Example URL: <host>/org.apache.myfaces.custom.captcha.CAPTCHARenderer/?captchaSessionKeyName=username&dummyParameter=1345794661817
> In most cases this is not highly critical, but there will be special cases. And the behaviour is undesirable in any case.
> My suggested fix would be something like this:
> ======
>             String captchaSessionKeyName = requestMap.get(
>                 CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
> ...
>             // Set the generated text in the user session.
>             facesContext.getExternalContext().getSessionMap().put(
>                     CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME +
>                     captchaSessionKeyName, captchaText);
> ======
> Best Regards,
> Jan

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira