[ https://issues.apache.org/jira/browse/KARAF-4206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré updated KARAF-4206: ---------------------------------------- Fix Version/s: (was: 4.0.8) 4.0.9 > Session Fixation > ---------------- > > Key: KARAF-4206 > URL: https://issues.apache.org/jira/browse/KARAF-4206 > Project: Karaf > Issue Type: Bug > Affects Versions: 4.0.3 > Reporter: Eduardo Aguinaga > Fix For: 4.1.0, 4.0.9 > > > HP Fortify SCA and SciTools Understand was used to perform an application > security analysis on the karaf source code. > On line 69 of SuCommand.java the method execute() authenticates users without > invalidating the existing session identifier, giving an attacker the > opportunity to steal authenticated sessions. An existing session should be > invalidated by calling HttpSession.invalidate() prior to calling > loginContext.login(). > File: jaas/command/src/main/java/org/apache/karaf/jaas/command/SuCommand.java > Line: 69 > SuCommand.java, lines 52-69: > {code} > 52 @Override > 53 public Object execute() throws Exception { > 54 Subject subject = new Subject(); > 55 LoginContext loginContext = new LoginContext(realm, subject, new > CallbackHandler() { > 56 public void handle(Callback[] callbacks) throws IOException, > UnsupportedCallbackException { > 57 for (Callback callback : callbacks) { > 58 if (callback instanceof NameCallback) { > 59 ((NameCallback) callback).setName(user); > 60 } else if (callback instanceof PasswordCallback) { > 61 String password = > SuCommand.this.session.readLine("Password: ", '*'); > 62 ((PasswordCallback) > callback).setPassword(password.toCharArray()); > 63 } else { > 64 throw new UnsupportedCallbackException(callback); > 65 } > 66 } > 67 } > 68 }); > 69 loginContext.login(); > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)