You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Francois Papon (Jira)" <ji...@apache.org> on 2019/11/18 20:35:00 UTC
[jira] [Resolved] (SHIRO-721) RememberMe Padding Oracle
Vulnerability
[ https://issues.apache.org/jira/browse/SHIRO-721?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Francois Papon resolved SHIRO-721.
----------------------------------
Resolution: Resolved
> RememberMe Padding Oracle Vulnerability
> ---------------------------------------
>
> Key: SHIRO-721
> URL: https://issues.apache.org/jira/browse/SHIRO-721
> Project: Shiro
> Issue Type: Bug
> Components: RememberMe
> Affects Versions: 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.4.0-RC2, 1.4.0, 1.4.1
> Reporter: loopx9
> Priority: Critical
> Labels: java-deserialization, padding-oracle-attack, security
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> The cookie {color:#ff0000}rememberMe {color}is encrypted by AES-128-CBC mode, and this can be vulnerable to padding oracle attacks. Attackers can use a vaild rememberMe cookie as the {color:#ff0000}prefix{color} for the Padding Oracle Attack,then make a crafted rememberMe to perform the java deserilization attack like SHIRO-550.
> Steps to reproduce this issue:
> # Login in the website and get the rememberMe from the cookie.
> # Use the rememberMe cookie as the prefix for Padding Oracle Attack.
> # Encrypt a ysoserial's serialization payload to make a crafted rememberMe via Padding Oracle Attack.
> # Request the website with the new rememberMe cookie, to perform the deserialization attack.
> The attacker doesn't need to know the cipher key of the rememberMe encryption.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)