Jan Alsenz created TOMAHAWK-1633:
------------------------------------
Summary: Arbitrary Session Variable Override using Captcha Renderer
Key: TOMAHAWK-1633
URL: https://issues.apache.org/jira/browse/TOMAHAWK-1633
Project: MyFaces Tomahawk
Issue Type: Bug
Components: Captcha
Affects Versions: 1.1.13, 1.1.14-SNAPSHOT
Reporter: Jan Alsenz
Hello!
I recently discovered, that the captcha component can be misused to override
arbitrary session variables (e.g. something like "username") with random
content.
The offending code is in class:
org.apache.myfaces.custom.captcha.CAPTCHARenderer
function "void renderCAPTCHA(FacesContext facesContext)"
======
String captchaSessionKeyName = requestMap.get(
CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
...
// Set the generated text in the user session.
facesContext.getExternalContext().getSessionMap().put(
captchaSessionKeyName, captchaText);
======
Example URL:
<host>/org.apache.myfaces.custom.captcha.CAPTCHARenderer/?captchaSessionKeyName=username&dummyParameter=1345794661817
In most cases this is not highly critical, but there will be special cases. And
the behaviour is undesirable in any case.
My suggested fix would be something like this:
======
String captchaSessionKeyName = requestMap.get(
CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
...
// Set the generated text in the user session.
facesContext.getExternalContext().getSessionMap().put(
CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME +
captchaSessionKeyName, captchaText);
======
Best Regards,
Jan
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
