Is Seam.Remoting.eval() secure?

dro_k Oct 19, 2008 9:26 PM

Can't a malicious user import the seam/remoting/resource/remote.js and use Seam.Remoting.eval() to bypass @WebRemote restrictions and call any arbitrary method? This can be a very serious security hole, even if Seam Remoting is not enabled (by marking any components using @WebRemote). I wonder how many Seam based sites are vulnerable to this sort of attack??

1. Re: Is Seam.Remoting.eval() secure?

shane.bryzak Oct 20, 2008 1:04 AM (in response to dro_k)

This feature was disabled until we can find a way for expression evaluations to honour the @WebRemote annotation.
Actions
2. Re: Is Seam.Remoting.eval() secure?

dro_k Oct 20, 2008 4:45 AM (in response to dro_k)

Good call... it's pretty unsecure otherwise. Is there a JIRA for this so I can keep track of it?
Actions
3. Re: Is Seam.Remoting.eval() secure?

shane.bryzak Oct 20, 2008 5:52 AM (in response to dro_k)

There's no JIRA, but it's on my personal to-do list. Feel free to create an issue in JIRA if you like.
Actions

Go to original post