Major Description
Hello!
I recently discovered, that the captcha component can be misused to override arbitrary session variables (e.g. something like "username") with random content.
The offending code is in class:
org.apache.myfaces.custom.captcha.CAPTCHARenderer
function "void renderCAPTCHA(FacesContext facesContext)"
======
String captchaSessionKeyName = requestMap.get(
CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
...
// Set the generated text in the user session.
facesContext.getExternalContext().getSessionMap().put(
captchaSessionKeyName, captchaText);
======
Example URL: <host>/org.apache.myfaces.custom.captcha.CAPTCHARenderer/?captchaSessionKeyName=username&dummyParameter=1345794661817
In most cases this is not highly critical, but there will be special cases. And the behaviour is undesirable in any case.
My suggested fix would be something like this:
======
String captchaSessionKeyName = requestMap.get(
CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME).toString();
...
// Set the generated text in the user session.
facesContext.getExternalContext().getSessionMap().put(
CAPTCHAComponent.ATTRIBUTE_CAPTCHA_SESSION_KEY_NAME +
captchaSessionKeyName, captchaText);
======
Best Regards,
Jan