Affects Version/s: 1.2_09
Fix Version/s: 2.1
Operating System: All
Platform: GlassFish 3.1 HEAD
JSF appears to be vulnerable to XSRF attachs. A common approach to help prevent
XSRF attacks is to provide a unique, secret token with any request which
modifies state on the server.
JSF does currently have such a token (the javax.faces.ViewState), which is
currently generated as a sequential token (easy to guess). AFAICT there is
nothing in the spec to prevent this being a much stronger, unique token.