Uploaded image for project: 'Isis'
  1. Isis
  2. ISIS-1256

Shiro has a vulnerabilty for default rememberMe cookie. We should work around this somehow

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.10.0
    • Fix Version/s: 1.13.0
    • Component/s: Core
    • Labels:
      None

      Description

      see https://issues.apache.org/jira/browse/SHIRO-550

      Also:

      Severity: Important

      Vendor:
      The Apache Software Foundation

      Versions Affected:
      1.0.0-incubating - 1.2.4

      Description:
      A default cipher key is used for the "remember me" feature when not
      explicitly configured. A request that included a specially crafted request
      parameter could be used to execute arbitrary code or access content that
      would otherwise be protected by a security constraint.

      Mitigation:
      Users should upgrade to 1.2.5 [1], ensure a secret cipher key is
      configured [2], or disable the "remember me" feature. [3]

      All binaries (.jars) are available in Maven Central already.

      References:
      [1] http://shiro.apache.org/download.html
      [2] http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues
      [3] If using a shiro.ini, "remember me" can be disabled adding the
      following config line in the '[main]' section:
      securityManager.rememberMeManager = null

        Attachments

          Activity

            People

            • Assignee:
              danhaywood Dan Haywood
              Reporter:
              danhaywood Dan Haywood
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: