Seam 2
  1. Seam 2
  2. JBSEAM-1137

Potential security issue in Seam captcha?

    Details

    • Type: Bug Bug
    • Status: Closed Closed (View Workflow)
    • Priority: Major Major
    • Resolution: Won't Fix Won't Fix
    • Affects Version/s: 1.2.0.GA
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Environment:
      Any
    • Similar Issues:
      Show 10 results 

      Description

      I have been experiencing "holes" in the Seam captcha integration recently (eg. spam is getting through).

      The Seam documentation (section 21.1.1) recommends client-side state saving for JSF.

      The following scenario should point out a potential security issue with this approach.

      Suppose I have a JSF page with a typical user comment form on it that does not use Seam's captcha component.

      Now a malicious user scrapes my JSF page and stores a local copy on his computer, serialized UI component tree and all.

      In the meantime, I add Seam's captcha component to my JSF page, trusting it to cause a validation error when the form is submitted without the correct captcha text.

      Can the malicious user now submit the previous copy of my form without the captcha component in the tree?

      I am using the MyFaces 1.1.4 JSF implementation.

      Thanks.

        Activity

        Hide
        Christian Bauer
        added a comment -

        What does this have to do with the captcha? If you save state on the client, you trust the client. Don't save state on the client if you can't trust the client.

        Show
        Christian Bauer
        added a comment - What does this have to do with the captcha? If you save state on the client, you trust the client. Don't save state on the client if you can't trust the client.
        Hide
        Ian Hlavats
        added a comment -

        Hi Christian,

        Perhaps this is just a documentation issue.

        I think it would benefit other Seam users to be informed about this potential problem.

        Can you update the Seam captcha documentation to include a note to the effect of, "server-side state saving is recommended for JSF applications using Seam's captcha support".

        Please note that I used the JCaptcha servlet on it's own in my JSF applications before I used the Seam captcha component (combined with JSF validation) and this issue never occurred.

        Thank you,
        Ian

        Show
        Ian Hlavats
        added a comment - Hi Christian, Perhaps this is just a documentation issue. I think it would benefit other Seam users to be informed about this potential problem. Can you update the Seam captcha documentation to include a note to the effect of, "server-side state saving is recommended for JSF applications using Seam's captcha support". Please note that I used the JCaptcha servlet on it's own in my JSF applications before I used the Seam captcha component (combined with JSF validation) and this issue never occurred. Thank you, Ian
        Hide
        Ian Hlavats
        added a comment -

        typo

        Show
        Ian Hlavats
        added a comment - typo
        Hide
        Mariusz Smykula
        added a comment -

        Why we need captcha, if we trust our clients? Captcha is needed when we dont trust them. Im wrong?

        Show
        Mariusz Smykula
        added a comment - Why we need captcha, if we trust our clients? Captcha is needed when we dont trust them. Im wrong?
        Hide
        Matt Drees
        added a comment -

        As I understand it, both MyFaces and the Sun RI allow you to encrypt the serialized component tree state.

        Show
        Matt Drees
        added a comment - As I understand it, both MyFaces and the Sun RI allow you to encrypt the serialized component tree state.
        Hide
        Ian Hlavats
        added a comment -

        Hi Matt,

        Encrypting the serialized component tree will not solve the problem of stale view state.

        The Sun JSF-RI team have implemented a fix for this issue. It will be available in 1.2_05.

        See the following link for more info:

        https://javaserverfaces.dev.java.net/issues/show_bug.cgi?id=612

        Thanks,
        Ian

        Show
        Ian Hlavats
        added a comment - Hi Matt, Encrypting the serialized component tree will not solve the problem of stale view state. The Sun JSF-RI team have implemented a fix for this issue. It will be available in 1.2_05. See the following link for more info: https://javaserverfaces.dev.java.net/issues/show_bug.cgi?id=612 Thanks, Ian
        Hide
        Matt Drees
        added a comment -

        Ah, interesting. Thanks.

        Show
        Matt Drees
        added a comment - Ah, interesting. Thanks.

          People

          • Assignee:
            Unassigned
            Reporter:
            Ian Hlavats
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: