shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Bradley <Richard.Brad...@softwire.com>
Subject RE: Remote Code Execution vulnerability in Shiro since May 2013 - SHIRO-550, SHIRO-441
Date Tue, 10 May 2016 09:44:47 GMT
This didn't seem to get through the first time; I'm retrying.

From: Richard Bradley
Sent: 06 May 2016 12:47
To: 'dev@shiro.apache.org' <dev@shiro.apache.org>
Subject: Remote Code Execution vulnerability in Shiro since May 2013 - SHIRO-550, SHIRO-441

Hi,

The "remember me" functionality is enabled by default in Shiro, and the encryption key is
hardcoded and publicly available.
Further, the "remember me" function uses Java deserialization, which allows remote code execution
when an untrusted user supplies the data, as here.

There is a working exploit published on https://issues.apache.org/jira/browse/SHIRO-550

The underlying bug was first recorded on https://issues.apache.org/jira/browse/SHIRO-441 in
May 2013.

Please could someone who is responsible for maintaining Shiro take a look?
If there is no-one available to fix these issues, I think that there should at least be a
warning posted on the Shiro homepage explaining how to close this vulnerability in a default
Shiro install.

Many thanks,


Richard Bradley


Richard Bradley
Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575

softwire
Sunday Times Best Small Companies - UK top 25 six years running
Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter : @SoftwireUK<https://twitter.com/SoftwireUK>
Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
Softwire Technology Limited. Registered in England no. 3824658. Registered Office : Gallery
Court, 28 Arcadia Avenue, Finchley, London. N3 2FG

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message