You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Les Hazlewood <lh...@apache.org> on 2010/11/03 05:03:57 UTC
CVE-2010-3863: Apache Shiro information disclosure vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
CVE-2010-3863: Apache Shiro information disclosure vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Shiro 1.0.0-incubating
The unsupported JSecurity 0.9.x versions are also affected
Description:
Shiro's path-based filter chain mechanism did not normalize request paths
before performing path-matching logic. The result is that Shiro filter
chain matching logic was susceptible to potential path traversal attacks.
Mitigation:
All users should upgrade to 1.1.0
Example:
For a shiro.ini [urls] section entry:
/account/** = authc, ...
/** = anon
This states that all requests to the /account/** pages should be
authenticated (as indicated by the 'authc' (authentication) filter) in the
chain definition.
A malicious request could be sent:
GET /./account/index.jsp HTTP/1.1
And access would be granted because the path was not normalized to
/account/index.jsp before evaluating the path for a match.
Credit:
This issue was discovered by Luke Taylor of SpringSource.
References:
http://shiro.apache.org/configuration.html
Les Hazlewood
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
iQIcBAEBCgAGBQJM0F+ZAAoJEFWds0y8W3GbixQP/3f9UVJ1RQgEh+n8DQ82UxU6
NrFNJLXtXqzT/oxcTZUa5rxOsx1XZ2jXIt9X2c8nx9J+Ns4AfOGSdgq6Hj7+Cbgw
2Hc7t6oKpIFH5Tv4E6LHkYbKvDwvoD3U+CfactqDBqPYE10WQ7WNjvXyvm8bLgM6
+3ztqxmEREmg04FCDbErTmZXK59H6jhPHCttkYdw3mTQ9oM+v9cmL7c3NR3vXqoK
nwAtdmA24p1v05L9ptyiTuVWhoZKrru16jSI7wrz5Bj04ZqBHW5QSANo/SKQm6Gz
FZT74qi8XgTJnYhl0Ei9a4tPCiTKm2SUBOqZpcLd1d7S0WFlSUc+lgOT0Ze7NyFF
d9nkZcQyTSMf9Sh4mr62zdSvky3K1FNNgJ/EAdCc2xsHQRtuGJfvyBI4WidA9Cda
Ogg5v+J5/d/s5IYdmML4ffiv0Nah9BDX9SLi7FaxMphHmfA6unN85JWl2jrb6ij/
pRa2GR7pi6V6IxUdHETNpt+7YXU/zDibQCRPKlTAV54n2TK5tY5cVYpa3zw33ojL
aqPLV3U3nw2t7/wS/IMxnZ9vSdFV3ghlQn/YueQzrTeSMxshSQrdfT0T9pxa0Q0q
Db4wJRaX5W1uKurhQCa9zFnjU8xp97GobbThSRP7IHj0Fw1yVSCI7rXB5CHYpDSa
7MKcZauaP3nXPuAYVZBc
=fr+j
-----END PGP SIGNATURE-----
Re: CVE-2010-3863: Apache Shiro information disclosure vulnerability
Posted by Les Hazlewood <lh...@apache.org>.
I agree with Kalle - there was only one backwards-incompatible change
and that change was on a method that was intended for Shiro's own
private use. Users shouldn't experience any problems with upgrading
to 1.1
Also, there were a lot of changes between 1.0.0-incubating and 1.1
that were very useful - for example, the bug fix for the INI parsing
problem that didn't retain definition order. This affected URL chain
definition ordering which is a pretty necessary fix that went into
1.1. That one, the Session ID cookie fix, and a few others were
important enough IMO that it doesn't make sense to issue a 1.0.1
without those as well. Too much work given that 1.1 is available
already, imho.
My .02,
Les
Re: CVE-2010-3863: Apache Shiro information disclosure vulnerability
Posted by Kalle Korhonen <ka...@gmail.com>.
I'd say no - it's the incubator release and we want people to move
onto the tlp release. The interface changes were tiny, I doubt anybody
would have a problem upgrading. If you have a specific need though
obviously you could release at will and you'd get our votes.
Kalle
On Tue, Nov 2, 2010 at 10:14 PM, Alan D. Cabrera <li...@toolazydogs.com> wrote:
> Would it make sense to patch 1.0.0 and make a 1.0.1 release as well?
>
>
> Regards,
> Alan
>
> On Nov 2, 2010, at 9:03 PM, Les Hazlewood wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> CVE-2010-3863: Apache Shiro information disclosure vulnerability
>>
>> Severity: Important
>>
>> Vendor:
>> The Apache Software Foundation
>>
>> Versions Affected:
>> Apache Shiro 1.0.0-incubating
>> The unsupported JSecurity 0.9.x versions are also affected
>>
>> Description:
>> Shiro's path-based filter chain mechanism did not normalize request paths
>> before performing path-matching logic. The result is that Shiro filter
>> chain matching logic was susceptible to potential path traversal attacks.
>>
>> Mitigation:
>> All users should upgrade to 1.1.0
>>
>> Example:
>> For a shiro.ini [urls] section entry:
>>
>> /account/** = authc, ...
>> /** = anon
>>
>> This states that all requests to the /account/** pages should be
>> authenticated (as indicated by the 'authc' (authentication) filter) in the
>> chain definition.
>>
>> A malicious request could be sent:
>>
>> GET /./account/index.jsp HTTP/1.1
>>
>> And access would be granted because the path was not normalized to
>> /account/index.jsp before evaluating the path for a match.
>>
>> Credit:
>> This issue was discovered by Luke Taylor of SpringSource.
>>
>> References:
>> http://shiro.apache.org/configuration.html
>>
>> Les Hazlewood
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.14 (FreeBSD)
>>
>> iQIcBAEBCgAGBQJM0F+ZAAoJEFWds0y8W3GbixQP/3f9UVJ1RQgEh+n8DQ82UxU6
>> NrFNJLXtXqzT/oxcTZUa5rxOsx1XZ2jXIt9X2c8nx9J+Ns4AfOGSdgq6Hj7+Cbgw
>> 2Hc7t6oKpIFH5Tv4E6LHkYbKvDwvoD3U+CfactqDBqPYE10WQ7WNjvXyvm8bLgM6
>> +3ztqxmEREmg04FCDbErTmZXK59H6jhPHCttkYdw3mTQ9oM+v9cmL7c3NR3vXqoK
>> nwAtdmA24p1v05L9ptyiTuVWhoZKrru16jSI7wrz5Bj04ZqBHW5QSANo/SKQm6Gz
>> FZT74qi8XgTJnYhl0Ei9a4tPCiTKm2SUBOqZpcLd1d7S0WFlSUc+lgOT0Ze7NyFF
>> d9nkZcQyTSMf9Sh4mr62zdSvky3K1FNNgJ/EAdCc2xsHQRtuGJfvyBI4WidA9Cda
>> Ogg5v+J5/d/s5IYdmML4ffiv0Nah9BDX9SLi7FaxMphHmfA6unN85JWl2jrb6ij/
>> pRa2GR7pi6V6IxUdHETNpt+7YXU/zDibQCRPKlTAV54n2TK5tY5cVYpa3zw33ojL
>> aqPLV3U3nw2t7/wS/IMxnZ9vSdFV3ghlQn/YueQzrTeSMxshSQrdfT0T9pxa0Q0q
>> Db4wJRaX5W1uKurhQCa9zFnjU8xp97GobbThSRP7IHj0Fw1yVSCI7rXB5CHYpDSa
>> 7MKcZauaP3nXPuAYVZBc
>> =fr+j
>> -----END PGP SIGNATURE-----
>
>
Re: CVE-2010-3863: Apache Shiro information disclosure vulnerability
Posted by "Alan D. Cabrera" <li...@toolazydogs.com>.
Would it make sense to patch 1.0.0 and make a 1.0.1 release as well?
Regards,
Alan
On Nov 2, 2010, at 9:03 PM, Les Hazlewood wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> CVE-2010-3863: Apache Shiro information disclosure vulnerability
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Shiro 1.0.0-incubating
> The unsupported JSecurity 0.9.x versions are also affected
>
> Description:
> Shiro's path-based filter chain mechanism did not normalize request paths
> before performing path-matching logic. The result is that Shiro filter
> chain matching logic was susceptible to potential path traversal attacks.
>
> Mitigation:
> All users should upgrade to 1.1.0
>
> Example:
> For a shiro.ini [urls] section entry:
>
> /account/** = authc, ...
> /** = anon
>
> This states that all requests to the /account/** pages should be
> authenticated (as indicated by the 'authc' (authentication) filter) in the
> chain definition.
>
> A malicious request could be sent:
>
> GET /./account/index.jsp HTTP/1.1
>
> And access would be granted because the path was not normalized to
> /account/index.jsp before evaluating the path for a match.
>
> Credit:
> This issue was discovered by Luke Taylor of SpringSource.
>
> References:
> http://shiro.apache.org/configuration.html
>
> Les Hazlewood
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (FreeBSD)
>
> iQIcBAEBCgAGBQJM0F+ZAAoJEFWds0y8W3GbixQP/3f9UVJ1RQgEh+n8DQ82UxU6
> NrFNJLXtXqzT/oxcTZUa5rxOsx1XZ2jXIt9X2c8nx9J+Ns4AfOGSdgq6Hj7+Cbgw
> 2Hc7t6oKpIFH5Tv4E6LHkYbKvDwvoD3U+CfactqDBqPYE10WQ7WNjvXyvm8bLgM6
> +3ztqxmEREmg04FCDbErTmZXK59H6jhPHCttkYdw3mTQ9oM+v9cmL7c3NR3vXqoK
> nwAtdmA24p1v05L9ptyiTuVWhoZKrru16jSI7wrz5Bj04ZqBHW5QSANo/SKQm6Gz
> FZT74qi8XgTJnYhl0Ei9a4tPCiTKm2SUBOqZpcLd1d7S0WFlSUc+lgOT0Ze7NyFF
> d9nkZcQyTSMf9Sh4mr62zdSvky3K1FNNgJ/EAdCc2xsHQRtuGJfvyBI4WidA9Cda
> Ogg5v+J5/d/s5IYdmML4ffiv0Nah9BDX9SLi7FaxMphHmfA6unN85JWl2jrb6ij/
> pRa2GR7pi6V6IxUdHETNpt+7YXU/zDibQCRPKlTAV54n2TK5tY5cVYpa3zw33ojL
> aqPLV3U3nw2t7/wS/IMxnZ9vSdFV3ghlQn/YueQzrTeSMxshSQrdfT0T9pxa0Q0q
> Db4wJRaX5W1uKurhQCa9zFnjU8xp97GobbThSRP7IHj0Fw1yVSCI7rXB5CHYpDSa
> 7MKcZauaP3nXPuAYVZBc
> =fr+j
> -----END PGP SIGNATURE-----