Return-Path: Delivered-To: apmail-shiro-dev-archive@www.apache.org Received: (qmail 77048 invoked from network); 3 Nov 2010 05:14:56 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 3 Nov 2010 05:14:56 -0000 Received: (qmail 25515 invoked by uid 500); 3 Nov 2010 05:15:27 -0000 Delivered-To: apmail-shiro-dev-archive@shiro.apache.org Received: (qmail 25470 invoked by uid 500); 3 Nov 2010 05:15:27 -0000 Mailing-List: contact dev-help@shiro.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@shiro.apache.org Delivered-To: mailing list dev@shiro.apache.org Received: (qmail 25462 invoked by uid 99); 3 Nov 2010 05:15:26 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Nov 2010 05:15:26 +0000 X-ASF-Spam-Status: No, hits=1.0 required=10.0 tests=RCVD_IN_DNSWL_NONE,SPF_SOFTFAIL X-Spam-Check-By: apache.org Received-SPF: softfail (nike.apache.org: transitioning domain of list@toolazydogs.com does not designate 209.85.214.173 as permitted sender) Received: from [209.85.214.173] (HELO mail-iw0-f173.google.com) (209.85.214.173) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Nov 2010 05:15:17 +0000 Received: by iwn36 with SMTP id 36so266894iwn.32 for ; Tue, 02 Nov 2010 22:14:55 -0700 (PDT) Received: by 10.231.15.9 with SMTP id i9mr4322961iba.186.1288761295636; Tue, 02 Nov 2010 22:14:55 -0700 (PDT) Received: from [10.0.1.101] (c-71-198-141-73.hsd1.ca.comcast.net [71.198.141.73]) by mx.google.com with ESMTPS id u6sm10807408ibd.12.2010.11.02.22.14.53 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 02 Nov 2010 22:14:54 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Apple Message framework v1081) Subject: Re: CVE-2010-3863: Apache Shiro information disclosure vulnerability From: "Alan D. Cabrera" In-Reply-To: Date: Tue, 2 Nov 2010 22:14:52 -0700 Content-Transfer-Encoding: 7bit Message-Id: References: To: dev@shiro.apache.org X-Mailer: Apple Mail (2.1081) X-Virus-Checked: Checked by ClamAV on apache.org Would it make sense to patch 1.0.0 and make a 1.0.1 release as well? Regards, Alan On Nov 2, 2010, at 9:03 PM, Les Hazlewood wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > CVE-2010-3863: Apache Shiro information disclosure vulnerability > > Severity: Important > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Shiro 1.0.0-incubating > The unsupported JSecurity 0.9.x versions are also affected > > Description: > Shiro's path-based filter chain mechanism did not normalize request paths > before performing path-matching logic. The result is that Shiro filter > chain matching logic was susceptible to potential path traversal attacks. > > Mitigation: > All users should upgrade to 1.1.0 > > Example: > For a shiro.ini [urls] section entry: > > /account/** = authc, ... > /** = anon > > This states that all requests to the /account/** pages should be > authenticated (as indicated by the 'authc' (authentication) filter) in the > chain definition. > > A malicious request could be sent: > > GET /./account/index.jsp HTTP/1.1 > > And access would be granted because the path was not normalized to > /account/index.jsp before evaluating the path for a match. > > Credit: > This issue was discovered by Luke Taylor of SpringSource. > > References: > http://shiro.apache.org/configuration.html > > Les Hazlewood > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (FreeBSD) > > iQIcBAEBCgAGBQJM0F+ZAAoJEFWds0y8W3GbixQP/3f9UVJ1RQgEh+n8DQ82UxU6 > NrFNJLXtXqzT/oxcTZUa5rxOsx1XZ2jXIt9X2c8nx9J+Ns4AfOGSdgq6Hj7+Cbgw > 2Hc7t6oKpIFH5Tv4E6LHkYbKvDwvoD3U+CfactqDBqPYE10WQ7WNjvXyvm8bLgM6 > +3ztqxmEREmg04FCDbErTmZXK59H6jhPHCttkYdw3mTQ9oM+v9cmL7c3NR3vXqoK > nwAtdmA24p1v05L9ptyiTuVWhoZKrru16jSI7wrz5Bj04ZqBHW5QSANo/SKQm6Gz > FZT74qi8XgTJnYhl0Ei9a4tPCiTKm2SUBOqZpcLd1d7S0WFlSUc+lgOT0Ze7NyFF > d9nkZcQyTSMf9Sh4mr62zdSvky3K1FNNgJ/EAdCc2xsHQRtuGJfvyBI4WidA9Cda > Ogg5v+J5/d/s5IYdmML4ffiv0Nah9BDX9SLi7FaxMphHmfA6unN85JWl2jrb6ij/ > pRa2GR7pi6V6IxUdHETNpt+7YXU/zDibQCRPKlTAV54n2TK5tY5cVYpa3zw33ojL > aqPLV3U3nw2t7/wS/IMxnZ9vSdFV3ghlQn/YueQzrTeSMxshSQrdfT0T9pxa0Q0q > Db4wJRaX5W1uKurhQCa9zFnjU8xp97GobbThSRP7IHj0Fw1yVSCI7rXB5CHYpDSa > 7MKcZauaP3nXPuAYVZBc > =fr+j > -----END PGP SIGNATURE-----