[jira] [Updated] (ISIS-1256) Shiro has a vulnerabilty for default rememberMe cookie. We should work around this somehow

Sun, 05 Jun 2016 08:44:44 -0700 

     [ 
https://issues.apache.org/jira/browse/ISIS-1256?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dan Haywood updated ISIS-1256:
------------------------------
    Description: 
see https://issues.apache.org/jira/browse/SHIRO-550


Also:

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
1.0.0-incubating - 1.2.4

Description:
A default cipher key is used for the "remember me" feature when not
explicitly configured.  A request that included a specially crafted request
parameter could be used to execute arbitrary code or access content that
would otherwise be protected by a security constraint.

Mitigation:
Users should upgrade to 1.2.5 [1],  ensure a secret cipher key is
configured [2], or disable the "remember me" feature. [3]

All binaries (.jars) are available in Maven Central already.

References:
[1] http://shiro.apache.org/download.html
[2] http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues
[3] If using a shiro.ini, "remember me" can be disabled adding the
following config line in the '[main]' section:
  securityManager.rememberMeManager = null


  was:
see https://issues.apache.org/jira/browse/SHIRO-550



> Shiro has a vulnerabilty for default rememberMe cookie.  We should work 
> around this somehow
> -------------------------------------------------------------------------------------------
>
>                 Key: ISIS-1256
>                 URL: https://issues.apache.org/jira/browse/ISIS-1256
>             Project: Isis
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 1.10.0
>            Reporter: Dan Haywood
>            Assignee: Dan Haywood
>             Fix For: 1.13.0
>
>
> see https://issues.apache.org/jira/browse/SHIRO-550
> Also:
> Severity: Important
> Vendor:
> The Apache Software Foundation
> Versions Affected:
> 1.0.0-incubating - 1.2.4
> Description:
> A default cipher key is used for the "remember me" feature when not
> explicitly configured.  A request that included a specially crafted request
> parameter could be used to execute arbitrary code or access content that
> would otherwise be protected by a security constraint.
> Mitigation:
> Users should upgrade to 1.2.5 [1],  ensure a secret cipher key is
> configured [2], or disable the "remember me" feature. [3]
> All binaries (.jars) are available in Maven Central already.
> References:
> [1] http://shiro.apache.org/download.html
> [2] http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues
> [3] If using a shiro.ini, "remember me" can be disabled adding the
> following config line in the '[main]' section:
>   securityManager.rememberMeManager = null



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to