Uploaded image for project: 'Causeway'
  1. Causeway
  2. CAUSEWAY-1256

Shiro has a vulnerabilty for default rememberMe cookie. We should work around this somehow

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.10.0
    • 1.13.0
    • Core
    • None

    Description

      see https://issues.apache.org/jira/browse/SHIRO-550

      Also:

      Severity: Important

      Vendor:
      The Apache Software Foundation

      Versions Affected:
      1.0.0-incubating - 1.2.4

      Description:
      A default cipher key is used for the "remember me" feature when not
      explicitly configured. A request that included a specially crafted request
      parameter could be used to execute arbitrary code or access content that
      would otherwise be protected by a security constraint.

      Mitigation:
      Users should upgrade to 1.2.5 [1], ensure a secret cipher key is
      configured [2], or disable the "remember me" feature. [3]

      All binaries (.jars) are available in Maven Central already.

      References:
      [1] http://shiro.apache.org/download.html
      [2] http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues
      [3] If using a shiro.ini, "remember me" can be disabled adding the
      following config line in the '[main]' section:
      securityManager.rememberMeManager = null

      Attachments

        Activity

          People

            danhaywood Daniel Keir Haywood
            danhaywood Daniel Keir Haywood
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: