shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan D. Cabrera" <l...@toolazydogs.com>
Subject Re: CVE-2010-3863: Apache Shiro information disclosure vulnerability
Date Wed, 03 Nov 2010 05:14:52 GMT
Would it make sense to patch 1.0.0 and make a 1.0.1 release as well?


Regards,
Alan

On Nov 2, 2010, at 9:03 PM, Les Hazlewood wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> CVE-2010-3863: Apache Shiro information disclosure vulnerability
> 
> Severity: Important
> 
> Vendor:
> The Apache Software Foundation
> 
> Versions Affected:
> Apache Shiro 1.0.0-incubating
> The unsupported JSecurity 0.9.x versions are also affected
> 
> Description:
> Shiro's path-based filter chain mechanism did not normalize request paths
> before performing path-matching logic.  The result is that Shiro filter
> chain matching logic was susceptible to potential path traversal attacks.
> 
> Mitigation:
> All users should upgrade to 1.1.0
> 
> Example:
> For a shiro.ini [urls] section entry:
> 
> /account/** = authc, ...
> /** = anon
> 
> This states that all requests to the /account/** pages should be
> authenticated (as indicated by the 'authc' (authentication) filter) in the
> chain definition.
> 
> A malicious request could be sent:
> 
> GET /./account/index.jsp HTTP/1.1
> 
> And access would be granted because the path was not normalized to
> /account/index.jsp before evaluating the path for a match.
> 
> Credit:
> This issue was discovered by Luke Taylor of SpringSource.
> 
> References:
> http://shiro.apache.org/configuration.html
> 
> Les Hazlewood
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (FreeBSD)
> 
> iQIcBAEBCgAGBQJM0F+ZAAoJEFWds0y8W3GbixQP/3f9UVJ1RQgEh+n8DQ82UxU6
> NrFNJLXtXqzT/oxcTZUa5rxOsx1XZ2jXIt9X2c8nx9J+Ns4AfOGSdgq6Hj7+Cbgw
> 2Hc7t6oKpIFH5Tv4E6LHkYbKvDwvoD3U+CfactqDBqPYE10WQ7WNjvXyvm8bLgM6
> +3ztqxmEREmg04FCDbErTmZXK59H6jhPHCttkYdw3mTQ9oM+v9cmL7c3NR3vXqoK
> nwAtdmA24p1v05L9ptyiTuVWhoZKrru16jSI7wrz5Bj04ZqBHW5QSANo/SKQm6Gz
> FZT74qi8XgTJnYhl0Ei9a4tPCiTKm2SUBOqZpcLd1d7S0WFlSUc+lgOT0Ze7NyFF
> d9nkZcQyTSMf9Sh4mr62zdSvky3K1FNNgJ/EAdCc2xsHQRtuGJfvyBI4WidA9Cda
> Ogg5v+J5/d/s5IYdmML4ffiv0Nah9BDX9SLi7FaxMphHmfA6unN85JWl2jrb6ij/
> pRa2GR7pi6V6IxUdHETNpt+7YXU/zDibQCRPKlTAV54n2TK5tY5cVYpa3zw33ojL
> aqPLV3U3nw2t7/wS/IMxnZ9vSdFV3ghlQn/YueQzrTeSMxshSQrdfT0T9pxa0Q0q
> Db4wJRaX5W1uKurhQCa9zFnjU8xp97GobbThSRP7IHj0Fw1yVSCI7rXB5CHYpDSa
> 7MKcZauaP3nXPuAYVZBc
> =fr+j
> -----END PGP SIGNATURE-----


Mime
View raw message