[jira] [Created] (KARAF-4206) Session Fixation

[Eduardo Aguinaga (JIRA)]

Eduardo Aguinaga created KARAF-4206:
---------------------------------------

             Summary: Session Fixation
                 Key: KARAF-4206
                 URL: https://issues.apache.org/jira/browse/KARAF-4206
             Project: Karaf
          Issue Type: Bug
    Affects Versions: 4.0.3
            Reporter: Eduardo Aguinaga


HP Fortify SCA and SciTools Understand was used to perform an application 
security analysis on the karaf source code.

On line 69 of SuCommand.java the method execute() authenticates users without 
invalidating the existing session identifier, giving an attacker the 
opportunity to steal authenticated sessions. An existing session should be 
invalidated by calling HttpSession.invalidate() prior to calling  
loginContext.login().

File: jaas/command/src/main/java/org/apache/karaf/jaas/command/SuCommand.java
Line: 69

SuCommand.java, lines 52-69:
52 @Override
53 public Object execute() throws Exception {
54     Subject subject = new Subject();
55     LoginContext loginContext = new LoginContext(realm, subject, new 
CallbackHandler() {
56         public void handle(Callback[] callbacks) throws IOException, 
UnsupportedCallbackException {
57             for (Callback callback : callbacks) {
58                 if (callback instanceof NameCallback) {
59                     ((NameCallback) callback).setName(user);
60                 } else if (callback instanceof PasswordCallback) {
61                     String password = 
SuCommand.this.session.readLine("Password: ", '*');
62                     ((PasswordCallback) 
callback).setPassword(password.toCharArray());
63                 } else {
64                     throw new UnsupportedCallbackException(callback);
65                 }
66             }
67         }
68     });
69     loginContext.login();



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)