loopx9 created SHIRO-721: ---------------------------- Summary: RememberMe Padding Oracle Vulnerability Key: SHIRO-721 URL: https://issues.apache.org/jira/browse/SHIRO-721 Project: Shiro Issue Type: Bug Components: RememberMe Affects Versions: 1.4.1, 1.4.0, 1.4.0-RC2, 1.3.2, 1.3.1, 1.3.0, 1.2.6, 1.2.5 Reporter: loopx9
The cookie {color:#FF0000}rememberMe {color}is encrypted by AES-128-CBC, and this can be vulnerable to padding oracle attacks. Attackers can use a vaild rememberMe cookie as the {color:#FF0000}prefix{color} for the Padding Oracle Attack,then make a crafted rememberMe to perform the java deserilization attack like SHIRO-550. Steps to reproduce this issue: # Login in the website and get the rememberMe from the cookie. # Use the rememberMe cookie as the prefix for Padding Oracle Attack. # Encrypt a ysoserial's serialization payload to make a crafted rememberMe via Padding Oracle Attack. # Request the website with the new rememberMe cookie, to perform the deserialization attack. The attacker doesn't need to know the cipher key of the rememberMe encryption. -- This message was sent by Atlassian Jira (v8.3.2#803003)