[
https://issues.apache.org/jira/browse/JSPWIKI-79?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Juan Pablo Santos RodrÃguez updated JSPWIKI-79:
-----------------------------------------------
Security: (was: Security Vulnerability Disclosure)
> Ounce Labs Security Finding: Authentication - Change Password
> --------------------------------------------------------------
>
> Key: JSPWIKI-79
> URL: https://issues.apache.org/jira/browse/JSPWIKI-79
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication & Authorization
> Affects Versions: 2.4.104
> Reporter: Cristian Borlovan
> Assignee: Juan Pablo Santos RodrÃguez
> Priority: Major
> Fix For: 2.11.2
>
> Attachments: report.pdf
>
>
> Description:
> The change password process does not require the user to enter his original
> password. If an attacker has hijacked the victims session or the victim has
> left his machine unlocked and an attacker has access to his machine with a
> valid JSPWiki session up, an attacker can change the victims password.
> Recommendation:
> Consider forcing the user to re-enter their original passwords to prevent
> attackers who have compromised the users session to also change his password
> and 1. gain unbound account access and 2. DOS the victim.
> Related Code Locations:
> 18 findings:
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 342 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "fullname" )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 341 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "wikiname" )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 339 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "loginname" )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 339 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "loginname" )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 342 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "fullname" )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.getUserProfile(com.ecyrd.jspwiki.WikiSession):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 201 / 0
> Context: user . java.security.Principal.getName ()
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 341 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "wikiname" )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 355 / 0
> Context: context . com.ecyrd.jspwiki.WikiContext.getWikiSession() .
> com.ecyrd.jspwiki.WikiSession.getLoginPrincipal() .
> java.security.Principal.getName ()
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 342 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "fullname" )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 342 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "fullname" )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.getUserProfile(com.ecyrd.jspwiki.WikiSession):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 188 / 0
> Context: user . java.security.Principal.getName ()
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 342 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "fullname" )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 339 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "loginname" )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 341 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "wikiname" )
> -----------------------------------
> Name:
> JSPWiki_2_4_104.UserPreferences_jsp._jspService(javax.servlet.http.HttpServletRequest;javax.servlet.http.HttpServletResponse):void
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\web-root\JSPWiki.war\UserPreferences.jsp
> Line / Col: 28 / 0
> Context: "saveProfile" . java.lang.String.equals ( request .
> javax.servlet.ServletRequest.getParameter("action") )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 342 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "fullname" )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 339 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "loginname" )
> -----------------------------------
> Name:
> com.ecyrd.jspwiki.auth.UserManager.parseProfile(com.ecyrd.jspwiki.WikiContext):com.ecyrd.jspwiki.auth.user.UserProfile
> Type: Vulnerability.Authentication
> Severity: Medium
> Classification: Vulnerability
> File Name:
> Z:\jspwiki\JSPWiki_2_4_104\JSPWiki-src\src\com\ecyrd\jspwiki\auth\UserManager.java
> Line / Col: 341 / 0
> Context: request . javax.servlet.ServletRequest.getParameter (
> "wikiname" )
> -----------------------------------
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
