[
https://issues.apache.org/jira/browse/KARAF-4206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4206:
----------------------------------------
Fix Version/s: (was: 4.0.7)
4.0.8
> Session Fixation
> ----------------
>
> Key: KARAF-4206
> URL: https://issues.apache.org/jira/browse/KARAF-4206
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.8
>
>
> HP Fortify SCA and SciTools Understand was used to perform an application
> security analysis on the karaf source code.
> On line 69 of SuCommand.java the method execute() authenticates users without
> invalidating the existing session identifier, giving an attacker the
> opportunity to steal authenticated sessions. An existing session should be
> invalidated by calling HttpSession.invalidate() prior to calling
> loginContext.login().
> File: jaas/command/src/main/java/org/apache/karaf/jaas/command/SuCommand.java
> Line: 69
> SuCommand.java, lines 52-69:
> {code}
> 52 @Override
> 53 public Object execute() throws Exception {
> 54 Subject subject = new Subject();
> 55 LoginContext loginContext = new LoginContext(realm, subject, new
> CallbackHandler() {
> 56 public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> 57 for (Callback callback : callbacks) {
> 58 if (callback instanceof NameCallback) {
> 59 ((NameCallback) callback).setName(user);
> 60 } else if (callback instanceof PasswordCallback) {
> 61 String password =
> SuCommand.this.session.readLine("Password: ", '*');
> 62 ((PasswordCallback)
> callback).setPassword(password.toCharArray());
> 63 } else {
> 64 throw new UnsupportedCallbackException(callback);
> 65 }
> 66 }
> 67 }
> 68 });
> 69 loginContext.login();
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
