Apache Shiro Information Disclosure

2010-11-04T00:00:00

Description

{"id": "PACKETSTORM:95484", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Apache Shiro Information Disclosure", "description": "", "published": "2010-11-04T00:00:00", "modified": "2010-11-04T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://packetstormsecurity.com/files/95484/Apache-Shiro-Information-Disclosure.html", "reporter": "SpringSource Security Team", "references": [], "cvelist": ["CVE-2010-3863"], "lastseen": "2016-12-05T22:11:42", "viewCount": 16, "enchantments": {"score": {"value": -0.9, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-3863"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2010-3863"]}, {"type": "nessus", "idList": ["SHIRO_SLASHDOT_BYPASS.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25074", "SECURITYVULNS:VULN:11230"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2010-3863"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25074"]}]}, "exploitation": null, "vulnersScore": -0.9}, "sourceHref": "https://packetstormsecurity.com/files/download/95484/apacheshiro-disclose.txt", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \nCVE-2010-3863: Apache Shiro information disclosure vulnerability \n \nSeverity: Important \n \nVendor: \nThe Apache Software Foundation \n \nVersions Affected: \nApache Shiro 1.0.0-incubating \nThe unsupported JSecurity 0.9.x versions are also affected \n \nDescription: \nShiro's path-based filter chain mechanism did not normalize request paths \nbefore performing path-matching logic. The result is that Shiro filter \nchain matching logic was susceptible to potential path traversal attacks. \n \nMitigation: \nAll users should upgrade to 1.1.0 \n \nExample: \nFor a shiro.ini [urls] section entry: \n \n/account/** = authc, ... \n/** = anon \n \nThis states that all requests to the /account/** pages should be \nauthenticated (as indicated by the 'authc' (authentication) filter) in the \nchain definition. \n \nA malicious request could be sent: \n \nGET /./account/index.jsp HTTP/1.1 \n \nAnd access would be granted because the path was not normalized to \n/account/index.jsp before evaluating the path for a match. \n \nCredit: \nThis issue was discovered by Luke Taylor of SpringSource. \n \nReferences: \nhttp://shiro.apache.org/configuration.html \n \nLes Hazlewood \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v2.0.14 (FreeBSD) \n \niQIcBAEBCgAGBQJM0F+ZAAoJEFWds0y8W3GbixQP/3f9UVJ1RQgEh+n8DQ82UxU6 \nNrFNJLXtXqzT/oxcTZUa5rxOsx1XZ2jXIt9X2c8nx9J+Ns4AfOGSdgq6Hj7+Cbgw \n2Hc7t6oKpIFH5Tv4E6LHkYbKvDwvoD3U+CfactqDBqPYE10WQ7WNjvXyvm8bLgM6 \n+3ztqxmEREmg04FCDbErTmZXK59H6jhPHCttkYdw3mTQ9oM+v9cmL7c3NR3vXqoK \nnwAtdmA24p1v05L9ptyiTuVWhoZKrru16jSI7wrz5Bj04ZqBHW5QSANo/SKQm6Gz \nFZT74qi8XgTJnYhl0Ei9a4tPCiTKm2SUBOqZpcLd1d7S0WFlSUc+lgOT0Ze7NyFF \nd9nkZcQyTSMf9Sh4mr62zdSvky3K1FNNgJ/EAdCc2xsHQRtuGJfvyBI4WidA9Cda \nOgg5v+J5/d/s5IYdmML4ffiv0Nah9BDX9SLi7FaxMphHmfA6unN85JWl2jrb6ij/ \npRa2GR7pi6V6IxUdHETNpt+7YXU/zDibQCRPKlTAV54n2TK5tY5cVYpa3zw33ojL \naqPLV3U3nw2t7/wS/IMxnZ9vSdFV3ghlQn/YueQzrTeSMxshSQrdfT0T9pxa0Q0q \nDb4wJRaX5W1uKurhQCa9zFnjU8xp97GobbThSRP7IHj0Fw1yVSCI7rXB5CHYpDSa \n7MKcZauaP3nXPuAYVZBc \n=fr+j \n-----END PGP SIGNATURE----- \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 1659703426}}

{"debiancve": [{"lastseen": "2022-07-04T06:02:21", "description": "Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.", "cvss3": {}, "published": "2010-11-05T17:00:00", "type": "debiancve", "title": "CVE-2010-3863", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3863"], "modified": "2010-11-05T17:00:00", "id": "DEBIANCVE:CVE-2010-3863", "href": "https://security-tracker.debian.org/tracker/CVE-2010-3863", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "securityvulns": [{"lastseen": "2021-06-08T19:12:17", "description": "Protection bypass via directory traversal.", "edition": 2, "cvss3": {}, "published": "2010-11-04T00:00:00", "title": "Apache Shiro protection bypass", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-3863"], "modified": "2010-11-04T00:00:00", "id": "SECURITYVULNS:VULN:11230", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11230", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:37", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\nCVE-2010-3863: Apache Shiro information disclosure vulnerability\r\n\r\nSeverity: Important\r\n\r\nVendor:\r\nThe Apache Software Foundation\r\n\r\nVersions Affected:\r\nApache Shiro 1.0.0-incubating\r\nThe unsupported JSecurity 0.9.x versions are also affected\r\n\r\nDescription:\r\nShiro's path-based filter chain mechanism did not normalize request paths\r\nbefore performing path-matching logic. The result is that Shiro filter\r\nchain matching logic was susceptible to potential path traversal attacks.\r\n\r\nMitigation:\r\nAll users should upgrade to 1.1.0\r\n\r\nExample:\r\nFor a shiro.ini [urls] section entry:\r\n\r\n/account/** = authc, ...\r\n/** = anon\r\n\r\nThis states that all requests to the /account/** pages should be\r\nauthenticated (as indicated by the 'authc' (authentication) filter) in the\r\nchain definition.\r\n\r\nA malicious request could be sent:\r\n\r\nGET /./account/index.jsp HTTP/1.1\r\n\r\nAnd access would be granted because the path was not normalized to\r\n/account/index.jsp before evaluating the path for a match.\r\n\r\nCredit:\r\nThis issue was discovered by Luke Taylor of SpringSource.\r\n\r\nReferences:\r\nhttp://shiro.apache.org/configuration.html\r\n\r\nLes Hazlewood\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.14 (FreeBSD)\r\n\r\niQIcBAEBCgAGBQJM0F+ZAAoJEFWds0y8W3GbixQP/3f9UVJ1RQgEh+n8DQ82UxU6\r\nNrFNJLXtXqzT/oxcTZUa5rxOsx1XZ2jXIt9X2c8nx9J+Ns4AfOGSdgq6Hj7+Cbgw\r\n2Hc7t6oKpIFH5Tv4E6LHkYbKvDwvoD3U+CfactqDBqPYE10WQ7WNjvXyvm8bLgM6\r\n+3ztqxmEREmg04FCDbErTmZXK59H6jhPHCttkYdw3mTQ9oM+v9cmL7c3NR3vXqoK\r\nnwAtdmA24p1v05L9ptyiTuVWhoZKrru16jSI7wrz5Bj04ZqBHW5QSANo/SKQm6Gz\r\nFZT74qi8XgTJnYhl0Ei9a4tPCiTKm2SUBOqZpcLd1d7S0WFlSUc+lgOT0Ze7NyFF\r\nd9nkZcQyTSMf9Sh4mr62zdSvky3K1FNNgJ/EAdCc2xsHQRtuGJfvyBI4WidA9Cda\r\nOgg5v+J5/d/s5IYdmML4ffiv0Nah9BDX9SLi7FaxMphHmfA6unN85JWl2jrb6ij/\r\npRa2GR7pi6V6IxUdHETNpt+7YXU/zDibQCRPKlTAV54n2TK5tY5cVYpa3zw33ojL\r\naqPLV3U3nw2t7/wS/IMxnZ9vSdFV3ghlQn/YueQzrTeSMxshSQrdfT0T9pxa0Q0q\r\nDb4wJRaX5W1uKurhQCa9zFnjU8xp97GobbThSRP7IHj0Fw1yVSCI7rXB5CHYpDSa\r\n7MKcZauaP3nXPuAYVZBc\r\n=fr+j\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2010-11-04T00:00:00", "title": "CVE-2010-3863: Apache Shiro information disclosure vulnerability", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-3863"], "modified": "2010-11-04T00:00:00", "id": "SECURITYVULNS:DOC:25074", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25074", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "cve": [{"lastseen": "2022-03-23T12:38:07", "description": "Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.", "cvss3": {}, "published": "2010-11-05T17:00:00", "type": "cve", "title": "CVE-2010-3863", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3863"], "modified": "2018-10-10T20:05:00", "cpe": ["cpe:/a:jsecurity:jsecurity:0.9.0", "cpe:/a:apache:shiro:1.0.0"], "id": "CVE-2010-3863", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3863", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:jsecurity:jsecurity:0.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:apache:shiro:1.0.0:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2022-04-12T15:24:07", "description": "The version of the Apache Shiro open source security framework running on the remote web server is affected by an error in the path-based filter chain mechanism due to a failure to properly normalize URI paths before comparing them with entries in the shiro.ini file. An unauthenticated, remote attacker can exploit this, via a crafted request using directory traversal, to bypass intended access restrictions, resulting in the disclosure of sensitive information.", "cvss3": {"score": null, "vector": null}, "published": "2010-11-15T00:00:00", "type": "nessus", "title": "Apache Shiro URI Path Security Directory Traversal Information Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-3863"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:shiro"], "id": "SHIRO_SLASHDOT_BYPASS.NASL", "href": "https://www.tenable.com/plugins/nessus/50600", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(50600);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2010-3863\");\n script_bugtraq_id(44616);\n script_xref(name:\"EDB-ID\", value:\"34952\");\n\n script_name(english:\"Apache Shiro URI Path Security Directory Traversal Information Disclosure\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A security framework running on the remote web server is affected by an information disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Apache Shiro open source security framework running on the remote web server is affected by an \nerror in the path-based filter chain mechanism due to a failure to properly normalize URI paths before comparing them \nwith entries in the shiro.ini file. An unauthenticated, remote attacker can exploit this, via a crafted request using \ndirectory traversal, to bypass intended access restrictions, resulting in the disclosure of sensitive information.\");\n # https://www.securityfocus.com/archive/1/514616/100/0/threaded\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?03f0578a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Shiro version 1.1.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2010-3863\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/11/15\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:shiro\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2004-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('debug.inc');\ninclude('global_settings.inc');\ninclude('http.inc');\ninclude('misc_func.inc');\ninclude('webapp_func.inc');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80);\n\n# Lists of URLs possibly protected by Shiro.\nauthc_files = get_kb_list('www/' + port + '/content/30x');\nauthcbasic_files = get_kb_list('www/' + port + '/content/basic_auth/url/*');\n\nif (isnull(authc_files) && isnull(authcbasic_files))\n exit(0, 'The web server on port ' + port + ' does not appear to have any pages that might be protected by Shiro\\'s authentication filters.');\n\nfiles = make_list();\nif (!isnull(authc_files))\n files = make_list(files, authc_files);\nif (!isnull(authcbasic_files))\n files = make_list(files, authcbasic_files);\n\ndbg::log(msg:'List of URLs possibly protected by Shiro:');\nforeach f (files)\n dbg::log(msg:'\\t - ' + f);\n\ndisable_cookiejar();\nmax_files = 5;\ni = 0;\n# Common login patterns to verify we are able to bypass authentication\nlogin_pat = \"user((\\s)?(name|id))?|pass(word)?|submit|log((\\s)?\\+(\\s)?(in|on)|in|on)|id|email\";\nvuln = FALSE;\noutput = '';\n\nforeach url (files)\n{\n dbg::log(msg: 'Processing url: ' + url);\n if (!thorough_tests && i++ >= max_files)\n break;\n\n # Try to exploit the vulnerability to bypass authentication.\n url = ereg_replace(pattern:\"^(.+?)([?;].*)\", replace:\"\\1\", string:url);\n exploit = '/.' + url;\n\n res = http_send_recv3(\n method : 'GET',\n item : exploit,\n port : port,\n exit_on_fail : TRUE\n );\n dbg::log(msg:'Initial Request:\\n' + http_last_sent_request());\n dbg::log(msg:'Response:' + '\\nStatus Code: ' + res[0] + '\\nHeaders:\\n' + res[1] + 'Body:\\n' + res[2]);\n\n headers = parse_http_headers(status_line:res[0], headers:res[1]);\n if (isnull(headers))\n audit(AUDIT_WEB_NO_SERVER_HEADER, port);\n\n if (isnull(headers['location']))\n location = '';\n else\n location = headers['location'];\n\n code = headers['$code'];\n\n if (code == 302 && exploit+'/' >< location)\n {\n url += '/';\n exploit = '/.' + url;\n res = http_send_recv3(\n method : 'GET',\n item : exploit,\n port : port,\n exit_on_fail : TRUE\n );\n dbg::log(msg:'Request {Status code == 302 && exploit + / in location}:\\n' + http_last_sent_request());\n dbg::log(msg:'Response:' + '\\nStatus Code: ' + res[0] + '\\nHeaders:\\n' + res[1] + 'Body:\\n' + res[2]);\n\n headers = parse_http_headers(status_line:res[0], headers:res[1]);\n if (isnull(headers))\n audit(AUDIT_WEB_NO_SERVER_HEADER, port);\n\n code = headers['$code'];\n }\n\n # Verify that the response before our exploit is not returning the same\n # HTTP status code\n if (code == 200)\n {\n output = strip(res[2]);\n res2 = http_send_recv3(\n method : 'GET',\n port : port,\n item : url,\n exit_on_fail : TRUE\n );\n dbg::log(msg:'Request {Status code == 200}:\\n' + http_last_sent_request());\n dbg::log(msg:'Response:' + '\\nStatus Code: ' + res2[0] + '\\nHeaders:\\n' + res2[1] + 'Body:\\n' + res2[2]);\n\n if (res2[0] =~ \"^HTTP/[0-9.]+ 30[1237]\")\n {\n # Appears to be vulnerable. Let's follow the redirect now and verify\n res2 = http_send_recv3(\n method : 'GET',\n port : port,\n item : url,\n follow_redirect : 3,\n exit_on_fail : TRUE\n );\n dbg::log(msg:'Request {Status code line matches \"^HTTP/[0-9.]+ 30[1237}:\\n' + http_last_sent_request());\n dbg::log(msg:'Response:' + '\\nStatus Code: ' + res[0] + '\\nHeaders:\\n' + res[1] + 'Body:\\n' + res[2]);\n\n # Lets check for some indication that this is a login page before we\n # report it.\n if (preg(string:res2[2], icase:TRUE, pattern:login_pat, multiline:TRUE))\n vuln = TRUE;\n }\n # Basic authentication used, and we bypassed it, so flag this case.\n if(res2[0] =~ \"^HTTP/[0-9.]+ 401\" && res2[1] =~ \"WWW-Authenticate: Basic\")\n vuln = TRUE;\n }\n if (vuln)\n break;\n}\n\nif (!vuln)\n audit(AUDIT_LISTEN_NOT_VULN, 'web server', port);\n\nsecurity_report_v4(\n port : port,\n generic : TRUE,\n severity : SECURITY_WARNING,\n request : make_list(build_url(qs:exploit, port:port)),\n output : output\n);\nexit(0);\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}

Apache Shiro Information Disclosure

Description

Related