You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Gancho Tenev (JIRA)" <ji...@apache.org> on 2015/05/30 00:25:17 UTC
[jira] [Updated] (TS-3649) url_sig plugin security issues (crash by
HTTP request, circumvent signature)
[ https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gancho Tenev updated TS-3649:
-----------------------------
Attachment: TS-3649-url_sig-security_issues.rtf
Please find information on how to setup the environment and steps to reproduce both issues in the attached file.
> url_sig plugin security issues (crash by HTTP request, circumvent signature)
> ----------------------------------------------------------------------------
>
> Key: TS-3649
> URL: https://issues.apache.org/jira/browse/TS-3649
> Project: Traffic Server
> Issue Type: Bug
> Components: Plugins
> Reporter: Gancho Tenev
> Attachments: TS-3649-url_sig-security_issues.rtf
>
>
> While reading the code found 2 security issues url_sig code which would allow:
> - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP request (segmentation fault due out-of-bounds array access) - there is a need of proper sanitation of the key index input (query parameter)
> - Issue 2: to gain access to protected assets by signing the URL with an empty secret key if at least one of the 16 keys is not provided in the uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and for the empty key the signature validation would succeed - must to deny access if the key specified in the signature is not defined in the plugin config (empty).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)