You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jspwiki.apache.org by "Juan Pablo Santos Rodríguez (Jira)" <ji...@apache.org> on 2022/03/01 23:25:00 UTC
[jira] [Updated] (JSPWIKI-79) Ounce Labs Security Finding: Authentication - Change Password
[ https://issues.apache.org/jira/browse/JSPWIKI-79?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Juan Pablo Santos Rodríguez updated JSPWIKI-79:
-----------------------------------------------
Security: (was: Security Vulnerability Disclosure)
> Ounce Labs Security Finding: Authentication - Change Password
> --------------------------------------------------------------
>
> Key: JSPWIKI-79
> URL: https://issues.apache.org/jira/browse/JSPWIKI-79
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication & Authorization
> Affects Versions: 2.4.104
> Reporter: Cristian Borlovan
> Assignee: Juan Pablo Santos Rodríguez
> Priority: Major
> Fix For: 2.11.2
>
> Attachments: report.pdf
>
>
> Description:
> The change password process does not require the user to enter his original password. If an attacker has hijacked the victims session or the victim has left his machine unlocked and an attacker has access to his machine with a valid JSPWiki session up, an attacker can change the victims password.
> Recommendation:
> Consider forcing the user to re-enter their original passwords to prevent attackers who have compromised the users session to also change his password and 1. gain unbound account access and 2. DOS the victim.
> Related Code Locations:
> 18 findings:
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 342 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "fullname" )
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 341 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "wikiname" )
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 339 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "loginname" )
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 339 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "loginname" )
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 342 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "fullname" )
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.getUserProfile(com.ecyrd.jspwiki.WikiSession):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 201 / 0
> Context: user . java.security.Principal.getName ()
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 341 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "wikiname" )
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 355 / 0
> Context: context . com.ecyrd.jspwiki.WikiContext.getWikiSession() . com.ecyrd.jspwiki.WikiSession.getLoginPrincipal() . java.security.Principal.getName ()
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 342 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "fullname" )
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 342 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "fullname" )
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.getUserProfile(com.ecyrd.jspwiki.WikiSession):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 188 / 0
> Context: user . java.security.Principal.getName ()
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 342 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "fullname" )
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 339 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "loginname" )
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 341 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "wikiname" )
> -----------------------------------
> Name: JSPWiki_2_4_104.UserPreferences_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\UserPreferences.jsp
> Line / Col: 28 / 0
> Context: "saveProfile" . java.lang.String.equals ( request . javax.servlet.ServletRequest.getParameter("action") )
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 342 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "fullname" )
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 339 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "loginname" )
> -----------------------------------
> Name: com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name: Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 341 / 0
> Context: request . javax.servlet.ServletRequest.getParameter ( "wikiname" )
> -----------------------------------
--
This message was sent by Atlassian Jira
(v8.20.1#820001)