[ https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gancho Tenev updated TS-3649: ----------------------------- Attachment: TS-3649-url_sig-security_issues.patch Please find the patch attached: TS-3649-url_sig-security_issues.patch > url_sig plugin security issues (crash by HTTP request, circumvent signature) > ---------------------------------------------------------------------------- > > Key: TS-3649 > URL: https://issues.apache.org/jira/browse/TS-3649 > Project: Traffic Server > Issue Type: Bug > Components: Plugins > Reporter: Gancho Tenev > Assignee: Gancho Tenev > Fix For: 6.0.0 > > Attachments: TS-3649-url_sig-security_issues.patch, > TS-3649-url_sig-security_issues.rtf > > > While reading the code found 2 security issues url_sig code which would allow: > - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP > request (segmentation fault due out-of-bounds array access) - there is a need > of proper sanitation of the key index input (query parameter) > - Issue 2: to gain access to protected assets by signing the URL with an > empty secret key if at least one of the 16 keys is not provided in the > uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and > for the empty key the signature validation would succeed - must deny access > if the key specified in the signature is not defined in the plugin config > (empty). -- This message was sent by Atlassian JIRA (v6.3.4#6332)