[
https://issues.apache.org/jira/browse/ISIS-1256?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dan Haywood resolved ISIS-1256.
-------------------------------
Resolution: Fixed
In fact, we don't use the Shiro 'rememberMe' feature, but we do rely on a
similar feature baked into the Wicket signin page, and which has a similar
issue (hard-coded encryption key for the user/password within the cookie).
So, this commit changes things so that the encryption key can be configured,
and if not specified then a new (random) encryption key will be used each time
the app is restarted.
> Shiro has a vulnerabilty for default rememberMe cookie. We should work
> around this somehow
> -------------------------------------------------------------------------------------------
>
> Key: ISIS-1256
> URL: https://issues.apache.org/jira/browse/ISIS-1256
> Project: Isis
> Issue Type: Improvement
> Components: Core
> Affects Versions: 1.10.0
> Reporter: Dan Haywood
> Assignee: Dan Haywood
> Fix For: 1.13.0
>
>
> see https://issues.apache.org/jira/browse/SHIRO-550
> Also:
> Severity: Important
> Vendor:
> The Apache Software Foundation
> Versions Affected:
> 1.0.0-incubating - 1.2.4
> Description:
> A default cipher key is used for the "remember me" feature when not
> explicitly configured. A request that included a specially crafted request
> parameter could be used to execute arbitrary code or access content that
> would otherwise be protected by a security constraint.
> Mitigation:
> Users should upgrade to 1.2.5 [1], ensure a secret cipher key is
> configured [2], or disable the "remember me" feature. [3]
> All binaries (.jars) are available in Maven Central already.
> References:
> [1] http://shiro.apache.org/download.html
> [2] http://shiro.apache.org/configuration.html#Configuration-ByteArrayValues
> [3] If using a shiro.ini, "remember me" can be disabled adding the
> following config line in the '[main]' section:
> securityManager.rememberMeManager = null
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
