[
https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Leif Hedstrom updated TS-3649:
------------------------------
Fix Version/s: 6.0.0
> url_sig plugin security issues (crash by HTTP request, circumvent signature)
> ----------------------------------------------------------------------------
>
> Key: TS-3649
> URL: https://issues.apache.org/jira/browse/TS-3649
> Project: Traffic Server
> Issue Type: Bug
> Components: Plugins
> Reporter: Gancho Tenev
> Fix For: 6.0.0
>
> Attachments: TS-3649-url_sig-security_issues.rtf
>
>
> While reading the code found 2 security issues url_sig code which would allow:
> - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP
> request (segmentation fault due out-of-bounds array access) - there is a need
> of proper sanitation of the key index input (query parameter)
> - Issue 2: to gain access to protected assets by signing the URL with an
> empty secret key if at least one of the 16 keys is not provided in the
> uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and
> for the empty key the signature validation would succeed - must deny access
> if the key specified in the signature is not defined in the plugin config
> (empty).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
