[
https://issues.jboss.org/browse/JBSEAM-5130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Marek Novotny resolved JBSEAM-5130.
-----------------------------------
Assignee: Marek Novotny
Fix Version/s: 2.3.2.CR1
Resolution: Done
> Add security warning to seam logging docs
> -----------------------------------------
>
> Key: JBSEAM-5130
> URL: https://issues.jboss.org/browse/JBSEAM-5130
> Project: Seam 2
> Issue Type: Bug
> Components: Documentation Issues
> Affects Versions: 2.2.2.Final, 2.3.0.Final, 2.3.1.Final
> Reporter: David Jorm
> Assignee: Marek Novotny
> Priority: Critical
> Fix For: 2.3.2.CR1
>
>
> It has been reported that seam parses expression language (EL) statements in
> log messages. This is safe if used as intended - all user-provided input is
> supposed to be bound to a variable in the EL, conceptually similar to bound
> parameters in SQL. If an application did not use the Seam logging facility as
> intended, and included user-provided strings in log messages directly via
> string concatenation, then a remote attacker could use this flaw to execute
> arbitrary code in the context of the application server. The documentation
> does not highlight this issue at all, and it seems to be highly likely that
> some seam-based application developers would have used string concatenation
> with user-provided strings in log messages.
> This needs to be addressed in all seam docs as a priority:
> http://docs.jboss.org/seam/2.3.1.Final/reference/html_single/#d0e4185
> http://docs.jboss.org/seam/2.3.0.Final/reference/en-US/html_single/#d0e4185
> http://docs.jboss.org/seam/2.2.2.Final/reference/en-US/html_single/#d0e4254
> I suggest adding a big red warning admonition such as:
> Title:
> SECURITY WARNING: Do not use string concatenation to construct log messages
> Body:
> Seam logging evaluates expression language (EL) statements in log messages.
> This is safe if used as intended, because all user-provided input is bound to
> a parameter in the EL statement. If an application does not use the Seam
> logging facility as intended, and includes user-provided strings in log
> messages directly via string concatenation, then a remote attacker could
> inject EL statements directly into the log messages, which would be evaluated
> on the server. This could lead to a variety of security impacts. To protect
> against this issue, ensure that all user-provided input in log messages is
> bound to a parameter, and not included directly in log messages using string
> concatenation.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
seam-issues mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/seam-issues
