Java Virtal

[ News ] rss

February 01, 2011

Mark Wielaard: New GPG key. Finally created a new GPG key using gnupg. The old one was a DSA/1024 bits one and 8 years old. The new one is a RSA/2048 bits one. I will use the new one in the future to sign any release tarballs I might create. pub 2048R/57816A6A 2011-01-29 Key f...

More »

February 01, 2011

Andrew Hughes: [SECURITY] IcedTea6 1.7.8, 1.8.5, 1.9.5 Released!. We are pleased to announce a new set of security releases, IcedTea6 1.7.8, IcedTea6 1.8.5 and IcedTea6 1.9.5. This update contains the following security updates: The IcedTea project provides a harness to build the source code from OpenJDK6 u...

More »

1415161718 1920

[ Archives News
for 'Java Technology' ]

home > news > java technology > trustwave spiderlabs sets sights on mojarra, myfaces

Trustwave SpiderLabs sets sights on Mojarra, MyFaces

I received an email from core Mojarra team member Jim Driscoll, who was inexplicably laid off from Sun after its recent acquisition by Oracle, about a talk at next week’s BlackHat Conference in Arlington, VA, U.S.A.. Jim pointed out that two security luminaries from the elite SpiderLabs team from Trustwave are giving a talk at BlackHat about view state security, specifically focusing on Mojarra and MyFaces. Cursory research on the talk found two articles: one by Kelly Jackson Higgins at DarkReading, and another (which appears to be based on the first) at SC Magazine. The talk will be given by David Byrne (the guy who released grendel, not the guy from Talking Heads), and Rohini Sulatycki. For my money, the most important quote in the former article is, “There’s no patch to fix these flaws, either. ‘All developers have to do is perform a configuration change,’ he says, and encrypt view state.” I haven’t seen their presentation yet, but for Mojarra, you can put lines 16 - 24 of the following web.xml into your web.xml to ensure that client state will be encrypted.             Faces Servlet         javax.faces.webapp.FacesServlet         1                 Faces Servlet         /faces/*               &nbs...

Date: January, 31 2010

Others News

© web editor | Mobirise Templates | top free website builder | | image slider