Uploaded image for project: 'Seam 2'
  1. Seam 2
  2. JBSEAM-1137

Potential security issue in Seam captcha?

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 1.2.0.GA
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Environment:

      Any

      Description

      I have been experiencing "holes" in the Seam captcha integration recently (eg. spam is getting through).

      The Seam documentation (section 21.1.1) recommends client-side state saving for JSF.

      The following scenario should point out a potential security issue with this approach.

      Suppose I have a JSF page with a typical user comment form on it that does not use Seam's captcha component.

      Now a malicious user scrapes my JSF page and stores a local copy on his computer, serialized UI component tree and all.

      In the meantime, I add Seam's captcha component to my JSF page, trusting it to cause a validation error when the form is submitted without the correct captcha text.

      Can the malicious user now submit the previous copy of my form without the captcha component in the tree?

      I am using the MyFaces 1.1.4 JSF implementation.

      Thanks.

        Gliffy Diagrams

          Activity

          Hide
          christian.bauer Christian Bauer added a comment -

          What does this have to do with the captcha? If you save state on the client, you trust the client. Don't save state on the client if you can't trust the client.

          Show
          christian.bauer Christian Bauer added a comment - What does this have to do with the captcha? If you save state on the client, you trust the client. Don't save state on the client if you can't trust the client.
          Hide
          tarantula Ian Hlavats added a comment -

          Hi Christian,

          Perhaps this is just a documentation issue.

          I think it would benefit other Seam users to be informed about this potential problem.

          Can you update the Seam captcha documentation to include a note to the effect of, "server-side state saving is recommended for JSF applications using Seam's captcha support".

          Please note that I used the JCaptcha servlet on it's own in my JSF applications before I used the Seam captcha component (combined with JSF validation) and this issue never occurred.

          Thank you,
          Ian

          Show
          tarantula Ian Hlavats added a comment - Hi Christian, Perhaps this is just a documentation issue. I think it would benefit other Seam users to be informed about this potential problem. Can you update the Seam captcha documentation to include a note to the effect of, "server-side state saving is recommended for JSF applications using Seam's captcha support". Please note that I used the JCaptcha servlet on it's own in my JSF applications before I used the Seam captcha component (combined with JSF validation) and this issue never occurred. Thank you, Ian
          Hide
          tarantula Ian Hlavats added a comment -

          typo

          Show
          tarantula Ian Hlavats added a comment - typo
          Hide
          mariuszs Mariusz Smykula added a comment -

          Why we need captcha, if we trust our clients? Captcha is needed when we dont trust them. Im wrong?

          Show
          mariuszs Mariusz Smykula added a comment - Why we need captcha, if we trust our clients? Captcha is needed when we dont trust them. Im wrong?
          Hide
          matt.drees Matt Drees added a comment -

          As I understand it, both MyFaces and the Sun RI allow you to encrypt the serialized component tree state.

          Show
          matt.drees Matt Drees added a comment - As I understand it, both MyFaces and the Sun RI allow you to encrypt the serialized component tree state.
          Hide
          tarantula Ian Hlavats added a comment -

          Hi Matt,

          Encrypting the serialized component tree will not solve the problem of stale view state.

          The Sun JSF-RI team have implemented a fix for this issue. It will be available in 1.2_05.

          See the following link for more info:

          https://javaserverfaces.dev.java.net/issues/show_bug.cgi?id=612

          Thanks,
          Ian

          Show
          tarantula Ian Hlavats added a comment - Hi Matt, Encrypting the serialized component tree will not solve the problem of stale view state. The Sun JSF-RI team have implemented a fix for this issue. It will be available in 1.2_05. See the following link for more info: https://javaserverfaces.dev.java.net/issues/show_bug.cgi?id=612 Thanks, Ian
          Hide
          matt.drees Matt Drees added a comment -

          Ah, interesting. Thanks.

          Show
          matt.drees Matt Drees added a comment - Ah, interesting. Thanks.

            People

            • Assignee:
              Unassigned
              Reporter:
              tarantula Ian Hlavats
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development