[jira] [Updated] (KARAF-4206) Session Fixation
[
https://issues.apache.org/jira/browse/KARAF-4206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4206:
Fix Version/s: (was: 4.0.7)
4.0.8
> Session Fixation
>
>
> Key: KARAF-4206
> URL: https://issues.apache.org/jira/browse/KARAF-4206
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.8
>
>
> HP Fortify SCA and SciTools Understand was used to perform an application
> security analysis on the karaf source code.
> On line 69 of SuCommand.java the method execute() authenticates users without
> invalidating the existing session identifier, giving an attacker the
> opportunity to steal authenticated sessions. An existing session should be
> invalidated by calling HttpSession.invalidate() prior to calling
> loginContext.login().
> File: jaas/command/src/main/java/org/apache/karaf/jaas/command/SuCommand.java
> Line: 69
> SuCommand.java, lines 52-69:
> {code}
> 52 @Override
> 53 public Object execute() throws Exception {
> 54 Subject subject = new Subject();
> 55 LoginContext loginContext = new LoginContext(realm, subject, new
> CallbackHandler() {
> 56 public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> 57 for (Callback callback : callbacks) {
> 58 if (callback instanceof NameCallback) {
> 59 ((NameCallback) callback).setName(user);
> 60 } else if (callback instanceof PasswordCallback) {
> 61 String password =
> SuCommand.this.session.readLine("Password: ", '*');
> 62 ((PasswordCallback)
> callback).setPassword(password.toCharArray());
> 63 } else {
> 64 throw new UnsupportedCallbackException(callback);
> 65 }
> 66 }
> 67 }
> 68 });
> 69 loginContext.login();
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4206) Session Fixation
[
https://issues.apache.org/jira/browse/KARAF-4206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4206:
Fix Version/s: (was: 4.0.6)
4.0.7
> Session Fixation
>
>
> Key: KARAF-4206
> URL: https://issues.apache.org/jira/browse/KARAF-4206
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.7
>
>
> HP Fortify SCA and SciTools Understand was used to perform an application
> security analysis on the karaf source code.
> On line 69 of SuCommand.java the method execute() authenticates users without
> invalidating the existing session identifier, giving an attacker the
> opportunity to steal authenticated sessions. An existing session should be
> invalidated by calling HttpSession.invalidate() prior to calling
> loginContext.login().
> File: jaas/command/src/main/java/org/apache/karaf/jaas/command/SuCommand.java
> Line: 69
> SuCommand.java, lines 52-69:
> {code}
> 52 @Override
> 53 public Object execute() throws Exception {
> 54 Subject subject = new Subject();
> 55 LoginContext loginContext = new LoginContext(realm, subject, new
> CallbackHandler() {
> 56 public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> 57 for (Callback callback : callbacks) {
> 58 if (callback instanceof NameCallback) {
> 59 ((NameCallback) callback).setName(user);
> 60 } else if (callback instanceof PasswordCallback) {
> 61 String password =
> SuCommand.this.session.readLine("Password: ", '*');
> 62 ((PasswordCallback)
> callback).setPassword(password.toCharArray());
> 63 } else {
> 64 throw new UnsupportedCallbackException(callback);
> 65 }
> 66 }
> 67 }
> 68 });
> 69 loginContext.login();
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4206) Session Fixation
[
https://issues.apache.org/jira/browse/KARAF-4206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4206:
Fix Version/s: 4.0.6
4.1.0
> Session Fixation
>
>
> Key: KARAF-4206
> URL: https://issues.apache.org/jira/browse/KARAF-4206
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.6
>
>
> HP Fortify SCA and SciTools Understand was used to perform an application
> security analysis on the karaf source code.
> On line 69 of SuCommand.java the method execute() authenticates users without
> invalidating the existing session identifier, giving an attacker the
> opportunity to steal authenticated sessions. An existing session should be
> invalidated by calling HttpSession.invalidate() prior to calling
> loginContext.login().
> File: jaas/command/src/main/java/org/apache/karaf/jaas/command/SuCommand.java
> Line: 69
> SuCommand.java, lines 52-69:
> {code}
> 52 @Override
> 53 public Object execute() throws Exception {
> 54 Subject subject = new Subject();
> 55 LoginContext loginContext = new LoginContext(realm, subject, new
> CallbackHandler() {
> 56 public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> 57 for (Callback callback : callbacks) {
> 58 if (callback instanceof NameCallback) {
> 59 ((NameCallback) callback).setName(user);
> 60 } else if (callback instanceof PasswordCallback) {
> 61 String password =
> SuCommand.this.session.readLine("Password: ", '*');
> 62 ((PasswordCallback)
> callback).setPassword(password.toCharArray());
> 63 } else {
> 64 throw new UnsupportedCallbackException(callback);
> 65 }
> 66 }
> 67 }
> 68 });
> 69 loginContext.login();
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (KARAF-4206) Session Fixation
[
https://issues.apache.org/jira/browse/KARAF-4206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4206:
Description:
HP Fortify SCA and SciTools Understand was used to perform an application
security analysis on the karaf source code.
On line 69 of SuCommand.java the method execute() authenticates users without
invalidating the existing session identifier, giving an attacker the
opportunity to steal authenticated sessions. An existing session should be
invalidated by calling HttpSession.invalidate() prior to calling
loginContext.login().
File: jaas/command/src/main/java/org/apache/karaf/jaas/command/SuCommand.java
Line: 69
SuCommand.java, lines 52-69:
{code}
52 @Override
53 public Object execute() throws Exception {
54 Subject subject = new Subject();
55 LoginContext loginContext = new LoginContext(realm, subject, new
CallbackHandler() {
56 public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
57 for (Callback callback : callbacks) {
58 if (callback instanceof NameCallback) {
59 ((NameCallback) callback).setName(user);
60 } else if (callback instanceof PasswordCallback) {
61 String password =
SuCommand.this.session.readLine("Password: ", '*');
62 ((PasswordCallback)
callback).setPassword(password.toCharArray());
63 } else {
64 throw new UnsupportedCallbackException(callback);
65 }
66 }
67 }
68 });
69 loginContext.login();
{code}
was:
HP Fortify SCA and SciTools Understand was used to perform an application
security analysis on the karaf source code.
On line 69 of SuCommand.java the method execute() authenticates users without
invalidating the existing session identifier, giving an attacker the
opportunity to steal authenticated sessions. An existing session should be
invalidated by calling HttpSession.invalidate() prior to calling
loginContext.login().
File: jaas/command/src/main/java/org/apache/karaf/jaas/command/SuCommand.java
Line: 69
SuCommand.java, lines 52-69:
52 @Override
53 public Object execute() throws Exception {
54 Subject subject = new Subject();
55 LoginContext loginContext = new LoginContext(realm, subject, new
CallbackHandler() {
56 public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
57 for (Callback callback : callbacks) {
58 if (callback instanceof NameCallback) {
59 ((NameCallback) callback).setName(user);
60 } else if (callback instanceof PasswordCallback) {
61 String password =
SuCommand.this.session.readLine("Password: ", '*');
62 ((PasswordCallback)
callback).setPassword(password.toCharArray());
63 } else {
64 throw new UnsupportedCallbackException(callback);
65 }
66 }
67 }
68 });
69 loginContext.login();
> Session Fixation
>
>
> Key: KARAF-4206
> URL: https://issues.apache.org/jira/browse/KARAF-4206
> Project: Karaf
> Issue Type: Bug
>Affects Versions: 4.0.3
>Reporter: Eduardo Aguinaga
>
> HP Fortify SCA and SciTools Understand was used to perform an application
> security analysis on the karaf source code.
> On line 69 of SuCommand.java the method execute() authenticates users without
> invalidating the existing session identifier, giving an attacker the
> opportunity to steal authenticated sessions. An existing session should be
> invalidated by calling HttpSession.invalidate() prior to calling
> loginContext.login().
> File: jaas/command/src/main/java/org/apache/karaf/jaas/command/SuCommand.java
> Line: 69
> SuCommand.java, lines 52-69:
> {code}
> 52 @Override
> 53 public Object execute() throws Exception {
> 54 Subject subject = new Subject();
> 55 LoginContext loginContext = new LoginContext(realm, subject, new
> CallbackHandler() {
> 56 public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> 57 for (Callback callback : callbacks) {
> 58 if (callback instanceof NameCallback) {
> 59 ((NameCallback) callback).setName(user);
> 60 } else if (callback instanceof PasswordCallback) {
> 61 String password =
> SuCommand.this.session.readLine("Password: ", '*');
> 62 ((PasswordCallback)
> callback).setPassword(password.toCharArray());
> 63 } else {
> 64 throw new UnsupportedCallbackException(callback);
> 65 }
> 66 }
> 67 }
> 68 });
> 69
