Status: Closed (View Workflow)
Resolution: Won't Fix
Affects Version/s: 1.2.0.GA
Fix Version/s: None
Similar Issues:Show 10 results
JBSEAM-2204 Potential XSS issue in seam text with allowed href attribute JBSEAM-1320 Seam Captcha component: clear response field before redisplaying JBSEAM-5132 Two XXE security issues in Seam remoting JBSEAM-1266 Mathematical captcha & Email obfuscator JBSEAM-1888 Minor issues in Seam security documentation JBSEAM-874 User registration for Wiki JBSEAM-799 security documentation issues JBSEAM-508 Seam/Security JBSEAM-1414 Seam security - extending Identity class JBSEAM-5130 Add security warning to seam logging docs
I have been experiencing "holes" in the Seam captcha integration recently (eg. spam is getting through).
The Seam documentation (section 21.1.1) recommends client-side state saving for JSF.
The following scenario should point out a potential security issue with this approach.
Suppose I have a JSF page with a typical user comment form on it that does not use Seam's captcha component.
Now a malicious user scrapes my JSF page and stores a local copy on his computer, serialized UI component tree and all.
In the meantime, I add Seam's captcha component to my JSF page, trusting it to cause a validation error when the form is submitted without the correct captcha text.
Can the malicious user now submit the previous copy of my form without the captcha component in the tree?
I am using the MyFaces 1.1.4 JSF implementation.