[jira] [Commented] (TS-3649) url_sig plugin security issues (crash by HTTP request, circumvent signature)

Mon, 01 Jun 2015 10:46:38 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14567633#comment-14567633
 ] 

ASF GitHub Bot commented on TS-3649:
------------------------------------

GitHub user gtenev opened a pull request:

    https://github.com/apache/trafficserver/pull/208

    TS-3649 Fix for url_sig plugin security issues 

    (crash by HTTP request & circumvent signature).

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/gtenev/trafficserver TS-3649_url_sig_fix

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/trafficserver/pull/208.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #208
    
----
commit 81e2574e1007db136e0572ba438e08ecd3b7f037
Author: Gancho Tenev <[email protected]>
Date:   2015-06-01T17:17:40Z

    TS-3649 Fix for url_sig plugin security issues (crash by HTTP request, 
circumvent signature).

----


> url_sig plugin security issues (crash by HTTP request, circumvent signature)
> ----------------------------------------------------------------------------
>
>                 Key: TS-3649
>                 URL: https://issues.apache.org/jira/browse/TS-3649
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Plugins
>            Reporter: Gancho Tenev
>            Assignee: Gancho Tenev
>             Fix For: 6.0.0
>
>         Attachments: TS-3649-url_sig-security_issues.patch, 
> TS-3649-url_sig-security_issues.rtf
>
>
> While reading the code found 2 security issues url_sig code which would allow:
> - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP 
> request (segmentation fault due out-of-bounds array access) - there is a need 
> of proper sanitation of the key index input (query parameter)
> - Issue 2: to gain access to protected assets by signing the URL with an 
> empty secret key if at least one of the 16 keys is not provided in the 
> uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and 
> for the empty key the signature validation would succeed - must deny access 
> if the key specified in the signature is not defined in the plugin config 
> (empty).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to