[seam-issues] [JBoss JIRA] (JBSEAM-5130) Add security warning to seam logging docs

Thu, 21 Nov 2013 03:45:04 -0800 

David Jorm created JBSEAM-5130:
----------------------------------

             Summary: Add security warning to seam logging docs
                 Key: JBSEAM-5130
                 URL: https://issues.jboss.org/browse/JBSEAM-5130
             Project: Seam 2
          Issue Type: Bug
          Components: Documentation Issues
    Affects Versions: 2.3.1.Final, 2.3.0.Final, 2.2.2.Final
            Reporter: David Jorm
            Priority: Critical


It has been reported that seam parses expression language (EL) statements in 
log messages. This is safe if used as intended - all user-provided input is 
supposed to be bound to a variable in the EL, conceptually similar to bound 
parameters in SQL. If an application did not use the Seam logging facility as 
intended, and included user-provided strings in log messages directly via 
string concatenation, then a remote attacker could use this flaw to execute 
arbitrary code in the context of the application server. The documentation does 
not highlight this issue at all, and it seems to be highly likely that some 
seam-based application developers would have used string concatenation with 
user-provided strings in log messages.

This needs to be addressed in all seam docs as a priority:
http://docs.jboss.org/seam/2.3.1.Final/reference/html_single/#d0e4185
http://docs.jboss.org/seam/2.3.0.Final/reference/en-US/html_single/#d0e4185
http://docs.jboss.org/seam/2.2.2.Final/reference/en-US/html_single/#d0e4254

I suggest adding a big red warning admonition such as:

Title: 
SECURITY WARNING: Do not use string concatenation to construct log messages

Body:
Seam logging evaluates expression language (EL) statements in log messages. 
This is safe if used as intended, because all user-provided input is bound to a 
parameter in the EL statement. If an application does not use the Seam logging 
facility as intended, and includes user-provided strings in log messages 
directly via string concatenation, then a remote attacker could inject EL 
statements directly into the log messages, which would be evaluated on the 
server. This could lead to a variety of security impacts. To protect against 
this issue, ensure that all user-provided input in log messages is bound to a 
parameter, and not included directly in log messages using string concatenation.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
seam-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/seam-issues

Reply via email to