[
https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14567839#comment-14567839
]
ASF subversion and git services commented on TS-3649:
-----------------------------------------------------
Commit 133df337c682ca2ae76a983bfbdea51e2f2ffc82 in trafficserver's branch
refs/heads/master from [~zwoop]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=133df33 ]
Added TS-3649.
This closes #208
> url_sig plugin security issues (crash by HTTP request, circumvent signature)
> ----------------------------------------------------------------------------
>
> Key: TS-3649
> URL: https://issues.apache.org/jira/browse/TS-3649
> Project: Traffic Server
> Issue Type: Bug
> Components: Plugins
> Reporter: Gancho Tenev
> Assignee: Gancho Tenev
> Fix For: 6.0.0
>
> Attachments: TS-3649-url_sig-security_issues.patch,
> TS-3649-url_sig-security_issues.rtf
>
>
> While reading the code found 2 security issues url_sig code which would allow:
> - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP
> request (segmentation fault due out-of-bounds array access) - there is a need
> of proper sanitation of the key index input (query parameter)
> - Issue 2: to gain access to protected assets by signing the URL with an
> empty secret key if at least one of the 16 keys is not provided in the
> uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and
> for the empty key the signature validation would succeed - must deny access
> if the key specified in the signature is not defined in the plugin config
> (empty).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
