lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTimhmHCcQ3gfz+yWQExVnJC2fhia2R9Rvw46VDA6@mail.gmail.com>
Date: Tue, 2 Nov 2010 21:03:57 -0700
From: Les Hazlewood <lhazlewood@...che.org>
To: user@...ro.apache.org
Cc: dev@...ro.apache.org, security@...che.org,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	luke.taylor@...ingsource.com
Subject: CVE-2010-3863: Apache Shiro information disclosure vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2010-3863: Apache Shiro information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Shiro 1.0.0-incubating
The unsupported JSecurity 0.9.x versions are also affected

Description:
Shiro's path-based filter chain mechanism did not normalize request paths
before performing path-matching logic.  The result is that Shiro filter
chain matching logic was susceptible to potential path traversal attacks.

Mitigation:
All users should upgrade to 1.1.0

Example:
For a shiro.ini [urls] section entry:

/account/** = authc, ...
/** = anon

This states that all requests to the /account/** pages should be
authenticated (as indicated by the 'authc' (authentication) filter) in the
chain definition.

A malicious request could be sent:

GET /./account/index.jsp HTTP/1.1

And access would be granted because the path was not normalized to
/account/index.jsp before evaluating the path for a match.

Credit:
This issue was discovered by Luke Taylor of SpringSource.

References:
http://shiro.apache.org/configuration.html

Les Hazlewood
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)

iQIcBAEBCgAGBQJM0F+ZAAoJEFWds0y8W3GbixQP/3f9UVJ1RQgEh+n8DQ82UxU6
NrFNJLXtXqzT/oxcTZUa5rxOsx1XZ2jXIt9X2c8nx9J+Ns4AfOGSdgq6Hj7+Cbgw
2Hc7t6oKpIFH5Tv4E6LHkYbKvDwvoD3U+CfactqDBqPYE10WQ7WNjvXyvm8bLgM6
+3ztqxmEREmg04FCDbErTmZXK59H6jhPHCttkYdw3mTQ9oM+v9cmL7c3NR3vXqoK
nwAtdmA24p1v05L9ptyiTuVWhoZKrru16jSI7wrz5Bj04ZqBHW5QSANo/SKQm6Gz
FZT74qi8XgTJnYhl0Ei9a4tPCiTKm2SUBOqZpcLd1d7S0WFlSUc+lgOT0Ze7NyFF
d9nkZcQyTSMf9Sh4mr62zdSvky3K1FNNgJ/EAdCc2xsHQRtuGJfvyBI4WidA9Cda
Ogg5v+J5/d/s5IYdmML4ffiv0Nah9BDX9SLi7FaxMphHmfA6unN85JWl2jrb6ij/
pRa2GR7pi6V6IxUdHETNpt+7YXU/zDibQCRPKlTAV54n2TK5tY5cVYpa3zw33ojL
aqPLV3U3nw2t7/wS/IMxnZ9vSdFV3ghlQn/YueQzrTeSMxshSQrdfT0T9pxa0Q0q
Db4wJRaX5W1uKurhQCa9zFnjU8xp97GobbThSRP7IHj0Fw1yVSCI7rXB5CHYpDSa
7MKcZauaP3nXPuAYVZBc
=fr+j
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ