Hi, Thank you for clarification. Using the secret mentioned in the below page would suffice or there is some mechanism to generate the SECRET ?
https://wiki.apache.org/myfaces/Secure_Your_Application <context-param> <param-name>org.apache.myfaces.SECRET</param-name> <param-value>MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.ALGORITHM</param-name> <param-value>AES</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.ALGORITHM.PARAMETERS</param-name> <param-value>CBC/PKCS5Padding</param-value> </context-param> <context-param> <param-name>org.apache.myfaces.ALGORITHM.IV</param-name> <param-value>NzY1NDMyMTA3NjU0MzIxMA==</param-value> </context-param> On Tue, Dec 20, 2016 at 4:34 PM, Moritz Bechler <bech...@agno3.eu> wrote: > Hi, > > > Currently we are not in a position to update to 1.1.8 as the change would > > require a upgrade of legacy software. > > > > With just 1.1.5,based on the below, it has been mentioned that it is ok > to > > use "Server" for state saving. Based on this, can you clarify that > > encryption is not required for server state saving. > > > > No, unfortunately this is very unsafe - one should never use myfaces > with unencrypted ViewState. An attacker can exploit the (useless, as > it's a simple string) deserialization of a crafted ViewState token that > MyFaces performs. This is almost certainly exploitable for remote code > execution (<https://issues.apache.org/jira/browse/MYFACES-4021>). > > > regards > > Moritz > > -- > AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731 > Persönlich haftend: > Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820, > Vertreten durch Joachim Keltsch > -- ------------------------- Thanks & Regards Karthik.K.N