Uploaded image for project: 'Isis'
  1. Isis
  2. ISIS-1256

Shiro has a vulnerabilty for default rememberMe cookie. We should work around this somehow

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.10.0
    • Fix Version/s: 1.13.0
    • Component/s: Core
    • Labels:
      None

      Description

      see https://issues.apache.org/jira/browse/SHIRO-550

      Also:

      Severity: Important

      Vendor:
      The Apache Software Foundation

      Versions Affected:
      1.0.0-incubating - 1.2.4

      Description:
      A default cipher key is used for the "remember me" feature when not
      explicitly configured. A request that included a specially crafted request
      parameter could be used to execute arbitrary code or access content that
      would otherwise be protected by a security constraint.

      Mitigation:
      Users should upgrade to 1.2.5 [1], ensure a secret cipher key is
      configured [2], or disable the "remember me" feature. [3]

      All binaries (.jars) are available in Maven Central already.

      References:
      [1] http://shiro.apache.org/download.html
      [2] http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues
      [3] If using a shiro.ini, "remember me" can be disabled adding the
      following config line in the '[main]' section:
      securityManager.rememberMeManager = null

        Activity

        Hide
        danhaywood Dan Haywood added a comment -

        In fact, we don't use the Shiro 'rememberMe' feature, but we do rely on a similar feature baked into the Wicket signin page, and which has a similar issue (hard-coded encryption key for the user/password within the cookie).

        So, this commit changes things so that the encryption key can be configured, and if not specified then a new (random) encryption key will be used each time the app is restarted.

        Show
        danhaywood Dan Haywood added a comment - In fact, we don't use the Shiro 'rememberMe' feature, but we do rely on a similar feature baked into the Wicket signin page, and which has a similar issue (hard-coded encryption key for the user/password within the cookie). So, this commit changes things so that the encryption key can be configured, and if not specified then a new (random) encryption key will be used each time the app is restarted.

          People

          • Assignee:
            danhaywood Dan Haywood
            Reporter:
            danhaywood Dan Haywood
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development