loopx9 created SHIRO-721:
----------------------------
Summary: RememberMe Padding Oracle Vulnerability
Key: SHIRO-721
URL: https://issues.apache.org/jira/browse/SHIRO-721
Project: Shiro
Issue Type: Bug
Components: RememberMe
Affects Versions: 1.4.1, 1.4.0, 1.4.0-RC2, 1.3.2, 1.3.1, 1.3.0, 1.2.6, 1.2.5
Reporter: loopx9
The cookie {color:#FF0000}rememberMe {color}is encrypted by AES-128-CBC, and
this can be vulnerable to padding oracle attacks. Attackers can use a vaild
rememberMe cookie as the {color:#FF0000}prefix{color} for the Padding Oracle
Attack,then make a crafted rememberMe to perform the java deserilization attack
like SHIRO-550.
Steps to reproduce this issue:
# Login in the website and get the rememberMe from the cookie.
# Use the rememberMe cookie as the prefix for Padding Oracle Attack.
# Encrypt a ysoserial's serialization payload to make a crafted rememberMe via
Padding Oracle Attack.
# Request the website with the new rememberMe cookie, to perform the
deserialization attack.
The attacker doesn't need to know the cipher key of the rememberMe encryption.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
