You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Francois Papon (Jira)" <ji...@apache.org> on 2019/11/18 20:35:00 UTC
[jira] [Commented] (SHIRO-721) RememberMe Padding Oracle
Vulnerability
[ https://issues.apache.org/jira/browse/SHIRO-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976870#comment-16976870 ]
Francois Papon commented on SHIRO-721:
--------------------------------------
Fixed with the latest 1.4.2 release.
[~loop09] please avoid opening issue in Jira for security issues (because Jira is public) and use [security@shiro.apache.org|mailto:security@shiro.apache.org] mailing list:
[https://www.apache.org/security/committers.html]
Thanks!
> RememberMe Padding Oracle Vulnerability
> ---------------------------------------
>
> Key: SHIRO-721
> URL: https://issues.apache.org/jira/browse/SHIRO-721
> Project: Shiro
> Issue Type: Bug
> Components: RememberMe
> Affects Versions: 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.4.0-RC2, 1.4.0, 1.4.1
> Reporter: loopx9
> Priority: Critical
> Labels: java-deserialization, padding-oracle-attack, security
> Original Estimate: 504h
> Remaining Estimate: 504h
>
> The cookie {color:#ff0000}rememberMe {color}is encrypted by AES-128-CBC mode, and this can be vulnerable to padding oracle attacks. Attackers can use a vaild rememberMe cookie as the {color:#ff0000}prefix{color} for the Padding Oracle Attack,then make a crafted rememberMe to perform the java deserilization attack like SHIRO-550.
> Steps to reproduce this issue:
> # Login in the website and get the rememberMe from the cookie.
> # Use the rememberMe cookie as the prefix for Padding Oracle Attack.
> # Encrypt a ysoserial's serialization payload to make a crafted rememberMe via Padding Oracle Attack.
> # Request the website with the new rememberMe cookie, to perform the deserialization attack.
> The attacker doesn't need to know the cipher key of the rememberMe encryption.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)