Gancho Tenev created TS-3649:
--------------------------------
Summary: url_sig plugin security issues (crash by HTTP request,
circumvent signature)
Key: TS-3649
URL: https://issues.apache.org/jira/browse/TS-3649
Project: Traffic Server
Issue Type: Bug
Components: Plugins
Reporter: Gancho Tenev
While reading the code found 2 security issues url_sig code which would allow:
- Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP
request (segmentation fault due out-of-bounds array access) - there is a need
of proper sanitation of the key index input (query parameter)
- Issue 2: to gain access to protected assets by signing the URL with an empty
secret key if at least one of the 16 keys is not provided in the uri_sig plugin
configuration. One could "scan" trying all keys 0 to 15 and for the empty key
the signature validation would succeed - must to deny access if the key
specified in the signature is not defined in the plugin config (empty).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
