Hi All, Any thoughts on the below ? On Wed, Dec 21, 2016 at 10:22 AM, karthik kn <keyan...@gmail.com> wrote:
> Hi, > If i use a new key in web.xml as SECRET, it could be still exposed to the > Administrator on accessing the system. > > Wont this cause a vulnerability ? Is there any other mechanism of storing > the secret ? > > On Tue, Dec 20, 2016 at 6:52 PM, Moritz Bechler <bech...@agno3.eu> wrote: > >> Hi, >> >> > Thank you for clarification. Using the secret mentioned in the below >> page >> > would suffice or there is some mechanism to generate the SECRET ? >> > >> >> You must not use the keys specified on this page but generate your own >> secret ones. An attacker using the same key can then produce a valid >> ViewState token containing an exploit. Also, as noted on the security >> page and by Leonardo, version up to and including 1.1.7, 1.2.8, 2.0.0 >> are vulnerable to padding oracle attacks (I haven't had a close look but >> I would be pretty sure that also applies to server side state saving). >> That means that an attacker may be able to create such tokens without >> the knowledge of the key - again allowing for the same exploits. >> >> So I guess there is no way to be really safe without upgrading. >> >> >> Moritz >> >> PS: you also might want to consider using something stronger than DES. >> >> >> -- >> AgNO3 GmbH & Co. KG, Sitz Tübingen, Amtsgericht Stuttgart HRA 728731 >> Persönlich haftend: >> Metagesellschaft mbH, Sitz Tübingen, Amtsgericht Stuttgart HRB 744820, >> Vertreten durch Joachim Keltsch >> > > > > -- > ------------------------- > Thanks & Regards > > Karthik.K.N > -- ------------------------- Thanks & Regards Karthik.K.N