This didn't seem to get through the first time; I'm retrying. From: Richard Bradley Sent: 06 May 2016 12:47 To: '[email protected]' <[email protected]> Subject: Remote Code Execution vulnerability in Shiro since May 2013 - SHIRO-550, SHIRO-441
Hi, The "remember me" functionality is enabled by default in Shiro, and the encryption key is hardcoded and publicly available. Further, the "remember me" function uses Java deserialization, which allows remote code execution when an untrusted user supplies the data, as here. There is a working exploit published on https://issues.apache.org/jira/browse/SHIRO-550 The underlying bug was first recorded on https://issues.apache.org/jira/browse/SHIRO-441 in May 2013. Please could someone who is responsible for maintaining Shiro take a look? If there is no-one available to fix these issues, I think that there should at least be a warning posted on the Shiro homepage explaining how to close this vulnerability in a default Shiro install. Many thanks, Richard Bradley Richard Bradley Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575 softwire Sunday Times Best Small Companies - UK top 25 six years running Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter : @SoftwireUK<https://twitter.com/SoftwireUK> Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL Softwire Technology Limited. Registered in England no. 3824658. Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3 2FG
