Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 50D37200BA8 for ; Mon, 19 Sep 2016 03:00:46 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 4F940160AC3; Mon, 19 Sep 2016 01:00:46 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 910DE160ADF for ; Mon, 19 Sep 2016 03:00:45 +0200 (CEST) Received: (qmail 76454 invoked by uid 500); 19 Sep 2016 01:00:44 -0000 Mailing-List: contact issues-help@karaf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@karaf.apache.org Delivered-To: mailing list issues@karaf.apache.org Received: (qmail 76425 invoked by uid 99); 19 Sep 2016 01:00:44 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 19 Sep 2016 01:00:44 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id A71522C0D59 for ; Mon, 19 Sep 2016 01:00:44 +0000 (UTC) Date: Mon, 19 Sep 2016 01:00:44 +0000 (UTC) From: =?utf-8?Q?Jean-Baptiste_Onofr=C3=A9_=28JIRA=29?= To: issues@karaf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (KARAF-4206) Session Fixation MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 19 Sep 2016 01:00:46 -0000 [ https://issues.apache.org/jira/browse/KARAF-4206?page=3Dcom.atlassia= n.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofr=C3=A9 updated KARAF-4206: ---------------------------------------- Fix Version/s: (was: 4.0.7) 4.0.8 > Session Fixation > ---------------- > > Key: KARAF-4206 > URL: https://issues.apache.org/jira/browse/KARAF-4206 > Project: Karaf > Issue Type: Bug > Affects Versions: 4.0.3 > Reporter: Eduardo Aguinaga > Fix For: 4.1.0, 4.0.8 > > > HP Fortify SCA and SciTools Understand was used to perform an application= security analysis on the karaf source code. > On line 69 of SuCommand.java the method execute() authenticates users wit= hout invalidating the existing session identifier, giving an attacker the o= pportunity to steal authenticated sessions. An existing session should be i= nvalidated by calling HttpSession.invalidate() prior to calling loginConte= xt.login(). > File: jaas/command/src/main/java/org/apache/karaf/jaas/command/SuCommand.= java > Line: 69 > SuCommand.java, lines 52-69: > {code} > 52 @Override > 53 public Object execute() throws Exception { > 54 Subject subject =3D new Subject(); > 55 LoginContext loginContext =3D new LoginContext(realm, subject, new= CallbackHandler() { > 56 public void handle(Callback[] callbacks) throws IOException, U= nsupportedCallbackException { > 57 for (Callback callback : callbacks) { > 58 if (callback instanceof NameCallback) { > 59 ((NameCallback) callback).setName(user); > 60 } else if (callback instanceof PasswordCallback) { > 61 String password =3D SuCommand.this.session.readLin= e("Password: ", '*'); > 62 ((PasswordCallback) callback).setPassword(password= .toCharArray()); > 63 } else { > 64 throw new UnsupportedCallbackException(callback); > 65 } > 66 } > 67 } > 68 }); > 69 loginContext.login(); > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)