date:20161219

Re: Reg vulnerability for Server State saving

2016-12-19 Thread Leonardo Uribe

Hi

1.1.5 is too old. Please update to 1.1.8 or upper versions.

See https://wiki.apache.org/myfaces/Secure_Your_Application  for details.

regards,

Leonardo Uribe

2016-12-19 5:44 GMT-05:00 karthik kn :

> Hi,
> I am using myfaces-1.1.5 and using the following state saving method
>
> javax.faces.STATE_SAVING_
> METHODserver
>
> However,i see that the object identifier is being sent to the server as
> following
>
>  id="javax.faces.ViewState"
> value="rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAN0
> AAEzcHQAJi9qc3AvaGxyL2FjX3N1YnNjcmliZXIvY3J0U2luZ2xlQUMuanNw"
> />
>
> This is the serialized object identifier sent over the network
>
> We are using only https and not http.
>
> Does sending this serialized object identifier without encrypting open any
> vulnerability which the attacker could use to his/her advantage ?
>
> --
> -
> Thanks & Regards
>
> Karthik.K.N
>

Reg vulnerability for Server State saving

2016-12-19 Thread karthik kn

Hi,
I am using myfaces-1.1.5 and using the following state saving method

javax.faces.STATE_SAVING_METHODserver

However,i see that the object identifier is being sent to the server as
following



This is the serialized object identifier sent over the network

We are using only https and not http.

Does sending this serialized object identifier without encrypting open any
vulnerability which the attacker could use to his/her advantage ?

-- 
-
Thanks & Regards

Karthik.K.N

Re: Reg vulnerability for Server State saving

Reg vulnerability for Server State saving

2 matches

Site Navigation

Mail list logo

Footer information