karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré (JIRA) <j...@apache.org>
Subject [jira] [Resolved] (KARAF-4206) Session Fixation
Date Sat, 28 Jan 2017 05:14:25 GMT

     [ https://issues.apache.org/jira/browse/KARAF-4206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jean-Baptiste Onofré resolved KARAF-4206.
-----------------------------------------
       Resolution: Won't Fix
    Fix Version/s:     (was: 4.0.9)
                       (was: 4.1.0)

That's the goal of the su command: execute an action with a different user. 

> Session Fixation
> ----------------
>
>                 Key: KARAF-4206
>                 URL: https://issues.apache.org/jira/browse/KARAF-4206
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>
> HP Fortify SCA and SciTools Understand was used to perform an application security analysis
on the karaf source code.
> On line 69 of SuCommand.java the method execute() authenticates users without invalidating
the existing session identifier, giving an attacker the opportunity to steal authenticated
sessions. An existing session should be invalidated by calling HttpSession.invalidate() prior
to calling  loginContext.login().
> File: jaas/command/src/main/java/org/apache/karaf/jaas/command/SuCommand.java
> Line: 69
> SuCommand.java, lines 52-69:
> {code}
> 52 @Override
> 53 public Object execute() throws Exception {
> 54     Subject subject = new Subject();
> 55     LoginContext loginContext = new LoginContext(realm, subject, new CallbackHandler()
{
> 56         public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
> 57             for (Callback callback : callbacks) {
> 58                 if (callback instanceof NameCallback) {
> 59                     ((NameCallback) callback).setName(user);
> 60                 } else if (callback instanceof PasswordCallback) {
> 61                     String password = SuCommand.this.session.readLine("Password: ",
'*');
> 62                     ((PasswordCallback) callback).setPassword(password.toCharArray());
> 63                 } else {
> 64                     throw new UnsupportedCallbackException(callback);
> 65                 }
> 66             }
> 67         }
> 68     });
> 69     loginContext.login();
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message