BlackHat: Vulnerability in JSF 2.0?

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Dominik Dorn <dominik.dorn_at_gmail.com>
Date: Fri, 29 Jan 2010 14:17:21 +0100

---
http://www.blackhat.com/html/bh-dc-10/bh-dc-10-briefings.html#Byrne
Beware of Serialized GUI Objects Bearing Data
This presentation will highlight 0-days in Apache MyFaces and Sun
Mojarra that allow an attacker to access all server-side session data,
as well as some globally-scoped application variables. This
presentation will provide a live demonstration of the flaws. The tool
used to exploit the vulnerability will also be released.
A similar vulnerability is present in Microsoft's ASP.Net view state.
This may not technically be an 0-day, but it is a poorly known flaw
that has been present since the beginning days of .Net. A live
demonstration of this will also be performed.
---
Will something be done because of this?
I assume, this only affects people who
use the client for storing the view-state?
Does anyone have more information about this?