You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Leonardo Uribe (JIRA)" <de...@myfaces.apache.org> on 2012/09/02 00:17:07 UTC
[jira] [Resolved] (TOMAHAWK-1633) Arbitrary Session Variable
Override using Captcha Renderer
[ https://issues.apache.org/jira/browse/TOMAHAWK-1633?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leonardo Uribe resolved TOMAHAWK-1633.
--------------------------------------
Resolution: Fixed
Fix Version/s: 1.1.14-SNAPSHOT
Assignee: Leonardo Uribe
> Arbitrary Session Variable Override using Captcha Renderer
> ----------------------------------------------------------
>
> Key: TOMAHAWK-1633
> URL: https://issues.apache.org/jira/browse/TOMAHAWK-1633
> Project: MyFaces Tomahawk
> Issue Type: Bug
> Components: Captcha
> Affects Versions: 1.1.13, 1.1.14-SNAPSHOT
> Reporter: Jan Alsenz
> Assignee: Leonardo Uribe
> Fix For: 1.1.14-SNAPSHOT
>
> Attachments: TOMAHAWK-1633-1.patch
>
>
> Hello!
> I recently discovered, that the captcha component can be misused to override arbitrary session variables (e.g. something like "username") with random content.
> The offending code is in class:
> org.apache.myfaces.custom.captcha.CAPTCHARenderer
> function "void renderCAPTCHA(FacesContext facesContext)"
> ======
> String captchaSessionKeyName = requestMap.get(
> CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
> ...
> // Set the generated text in the user session.
> facesContext.getExternalContext().getSessionMap().put(
> captchaSessionKeyName, captchaText);
> ======
> Example URL: <host>/org.apache.myfaces.custom.captcha.CAPTCHARenderer/?captchaSessionKeyName=username&dummyParameter=1345794661817
> In most cases this is not highly critical, but there will be special cases. And the behaviour is undesirable in any case.
> My suggested fix would be something like this:
> ======
> String captchaSessionKeyName = requestMap.get(
> CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
> ...
> // Set the generated text in the user session.
> facesContext.getExternalContext().getSessionMap().put(
> CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME +
> captchaSessionKeyName, captchaText);
> ======
> Best Regards,
> Jan
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira