Jan Alsenz created TOMAHAWK-1633: ------------------------------------ Summary: Arbitrary Session Variable Override using Captcha Renderer Key: TOMAHAWK-1633 URL: https://issues.apache.org/jira/browse/TOMAHAWK-1633 Project: MyFaces Tomahawk Issue Type: Bug Components: Captcha Affects Versions: 1.1.13, 1.1.14-SNAPSHOT Reporter: Jan Alsenz
Hello! I recently discovered, that the captcha component can be misused to override arbitrary session variables (e.g. something like "username") with random content. The offending code is in class: org.apache.myfaces.custom.captcha.CAPTCHARenderer function "void renderCAPTCHA(FacesContext facesContext)" ====== String captchaSessionKeyName = requestMap.get( CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString(); ... // Set the generated text in the user session. facesContext.getExternalContext().getSessionMap().put( captchaSessionKeyName, captchaText); ====== Example URL: <host>/org.apache.myfaces.custom.captcha.CAPTCHARenderer/?captchaSessionKeyName=username&dummyParameter=1345794661817 In most cases this is not highly critical, but there will be special cases. And the behaviour is undesirable in any case. My suggested fix would be something like this: ====== String captchaSessionKeyName = requestMap.get( CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString(); ... // Set the generated text in the user session. facesContext.getExternalContext().getSessionMap().put( CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME + captchaSessionKeyName, captchaText); ====== Best Regards, Jan -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira