[jira] [Commented] (TS-3649) url_sig plugin security issues (crash by HTTP request, circumvent signature)
[ https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14568488#comment-14568488 ] ASF subversion and git services commented on TS-3649: - Commit b8ca26129da735ca704555b485667704f563437e in trafficserver's branch refs/heads/5.3.x from [~zwoop] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=b8ca261 ] TS-3649: Add to CHANGES. (cherry picked from commit 133df337c682ca2ae76a983bfbdea51e2f2ffc82) Conflicts: CHANGES > url_sig plugin security issues (crash by HTTP request, circumvent signature) > > > Key: TS-3649 > URL: https://issues.apache.org/jira/browse/TS-3649 > Project: Traffic Server > Issue Type: Bug > Components: Plugins >Reporter: Gancho Tenev >Assignee: Gancho Tenev > Fix For: 5.3.1, 6.0.0 > > Attachments: TS-3649-url_sig-security_issues.patch, > TS-3649-url_sig-security_issues.rtf > > > While reading the code found 2 security issues url_sig code which would allow: > - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP > request (segmentation fault due out-of-bounds array access) - there is a need > of proper sanitation of the key index input (query parameter) > - Issue 2: to gain access to protected assets by signing the URL with an > empty secret key if at least one of the 16 keys is not provided in the > uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and > for the empty key the signature validation would succeed - must deny access > if the key specified in the signature is not defined in the plugin config > (empty). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3649) url_sig plugin security issues (crash by HTTP request, circumvent signature)
[ https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14568487#comment-14568487 ] ASF subversion and git services commented on TS-3649: - Commit d284c9d1a65cec9a7f69aa92547a87a746eb359d in trafficserver's branch refs/heads/5.3.x from [~gancho] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=d284c9d ] TS-3649 Fix for url_sig plugin security issues (crash by HTTP request, circumvent signature). (cherry picked from commit 3f523ea5db49e244f9a09b4752d06031e3f31130) > url_sig plugin security issues (crash by HTTP request, circumvent signature) > > > Key: TS-3649 > URL: https://issues.apache.org/jira/browse/TS-3649 > Project: Traffic Server > Issue Type: Bug > Components: Plugins >Reporter: Gancho Tenev >Assignee: Gancho Tenev > Fix For: 5.3.1, 6.0.0 > > Attachments: TS-3649-url_sig-security_issues.patch, > TS-3649-url_sig-security_issues.rtf > > > While reading the code found 2 security issues url_sig code which would allow: > - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP > request (segmentation fault due out-of-bounds array access) - there is a need > of proper sanitation of the key index input (query parameter) > - Issue 2: to gain access to protected assets by signing the URL with an > empty secret key if at least one of the 16 keys is not provided in the > uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and > for the empty key the signature validation would succeed - must deny access > if the key specified in the signature is not defined in the plugin config > (empty). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3649) url_sig plugin security issues (crash by HTTP request, circumvent signature)
[ https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14568489#comment-14568489 ] ASF subversion and git services commented on TS-3649: - Commit 62be18134f670c0fc1884ded025e8314faf3bccb in trafficserver's branch refs/heads/5.3.x from [~psudaemon] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=62be181 ] TS-3649: Check key length during config parse (cherry picked from commit 7cae891870a5634dd28f2a679ff3b4f9a9fbe82b) > url_sig plugin security issues (crash by HTTP request, circumvent signature) > > > Key: TS-3649 > URL: https://issues.apache.org/jira/browse/TS-3649 > Project: Traffic Server > Issue Type: Bug > Components: Plugins >Reporter: Gancho Tenev >Assignee: Gancho Tenev > Fix For: 5.3.1, 6.0.0 > > Attachments: TS-3649-url_sig-security_issues.patch, > TS-3649-url_sig-security_issues.rtf > > > While reading the code found 2 security issues url_sig code which would allow: > - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP > request (segmentation fault due out-of-bounds array access) - there is a need > of proper sanitation of the key index input (query parameter) > - Issue 2: to gain access to protected assets by signing the URL with an > empty secret key if at least one of the 16 keys is not provided in the > uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and > for the empty key the signature validation would succeed - must deny access > if the key specified in the signature is not defined in the plugin config > (empty). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3649) url_sig plugin security issues (crash by HTTP request, circumvent signature)
[ https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14568040#comment-14568040 ] ASF subversion and git services commented on TS-3649: - Commit 7cae891870a5634dd28f2a679ff3b4f9a9fbe82b in trafficserver's branch refs/heads/master from [~psudaemon] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=7cae891 ] TS-3649: Check key length during config parse > url_sig plugin security issues (crash by HTTP request, circumvent signature) > > > Key: TS-3649 > URL: https://issues.apache.org/jira/browse/TS-3649 > Project: Traffic Server > Issue Type: Bug > Components: Plugins >Reporter: Gancho Tenev >Assignee: Gancho Tenev > Fix For: 6.0.0 > > Attachments: TS-3649-url_sig-security_issues.patch, > TS-3649-url_sig-security_issues.rtf > > > While reading the code found 2 security issues url_sig code which would allow: > - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP > request (segmentation fault due out-of-bounds array access) - there is a need > of proper sanitation of the key index input (query parameter) > - Issue 2: to gain access to protected assets by signing the URL with an > empty secret key if at least one of the 16 keys is not provided in the > uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and > for the empty key the signature validation would succeed - must deny access > if the key specified in the signature is not defined in the plugin config > (empty). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3649) url_sig plugin security issues (crash by HTTP request, circumvent signature)
[ https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14567840#comment-14567840 ] ASF GitHub Bot commented on TS-3649: Github user asfgit closed the pull request at: https://github.com/apache/trafficserver/pull/208 > url_sig plugin security issues (crash by HTTP request, circumvent signature) > > > Key: TS-3649 > URL: https://issues.apache.org/jira/browse/TS-3649 > Project: Traffic Server > Issue Type: Bug > Components: Plugins >Reporter: Gancho Tenev >Assignee: Gancho Tenev > Fix For: 6.0.0 > > Attachments: TS-3649-url_sig-security_issues.patch, > TS-3649-url_sig-security_issues.rtf > > > While reading the code found 2 security issues url_sig code which would allow: > - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP > request (segmentation fault due out-of-bounds array access) - there is a need > of proper sanitation of the key index input (query parameter) > - Issue 2: to gain access to protected assets by signing the URL with an > empty secret key if at least one of the 16 keys is not provided in the > uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and > for the empty key the signature validation would succeed - must deny access > if the key specified in the signature is not defined in the plugin config > (empty). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3649) url_sig plugin security issues (crash by HTTP request, circumvent signature)
[ https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14567839#comment-14567839 ] ASF subversion and git services commented on TS-3649: - Commit 133df337c682ca2ae76a983bfbdea51e2f2ffc82 in trafficserver's branch refs/heads/master from [~zwoop] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=133df33 ] Added TS-3649. This closes #208 > url_sig plugin security issues (crash by HTTP request, circumvent signature) > > > Key: TS-3649 > URL: https://issues.apache.org/jira/browse/TS-3649 > Project: Traffic Server > Issue Type: Bug > Components: Plugins >Reporter: Gancho Tenev >Assignee: Gancho Tenev > Fix For: 6.0.0 > > Attachments: TS-3649-url_sig-security_issues.patch, > TS-3649-url_sig-security_issues.rtf > > > While reading the code found 2 security issues url_sig code which would allow: > - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP > request (segmentation fault due out-of-bounds array access) - there is a need > of proper sanitation of the key index input (query parameter) > - Issue 2: to gain access to protected assets by signing the URL with an > empty secret key if at least one of the 16 keys is not provided in the > uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and > for the empty key the signature validation would succeed - must deny access > if the key specified in the signature is not defined in the plugin config > (empty). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3649) url_sig plugin security issues (crash by HTTP request, circumvent signature)
[ https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14567837#comment-14567837 ] ASF subversion and git services commented on TS-3649: - Commit 3f523ea5db49e244f9a09b4752d06031e3f31130 in trafficserver's branch refs/heads/master from [~gancho] [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=3f523ea ] TS-3649 Fix for url_sig plugin security issues (crash by HTTP request, circumvent signature). > url_sig plugin security issues (crash by HTTP request, circumvent signature) > > > Key: TS-3649 > URL: https://issues.apache.org/jira/browse/TS-3649 > Project: Traffic Server > Issue Type: Bug > Components: Plugins >Reporter: Gancho Tenev >Assignee: Gancho Tenev > Fix For: 6.0.0 > > Attachments: TS-3649-url_sig-security_issues.patch, > TS-3649-url_sig-security_issues.rtf > > > While reading the code found 2 security issues url_sig code which would allow: > - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP > request (segmentation fault due out-of-bounds array access) - there is a need > of proper sanitation of the key index input (query parameter) > - Issue 2: to gain access to protected assets by signing the URL with an > empty secret key if at least one of the 16 keys is not provided in the > uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and > for the empty key the signature validation would succeed - must deny access > if the key specified in the signature is not defined in the plugin config > (empty). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3649) url_sig plugin security issues (crash by HTTP request, circumvent signature)
[ https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14567633#comment-14567633 ] ASF GitHub Bot commented on TS-3649: GitHub user gtenev opened a pull request: https://github.com/apache/trafficserver/pull/208 TS-3649 Fix for url_sig plugin security issues (crash by HTTP request & circumvent signature). You can merge this pull request into a Git repository by running: $ git pull https://github.com/gtenev/trafficserver TS-3649_url_sig_fix Alternatively you can review and apply these changes as the patch at: https://github.com/apache/trafficserver/pull/208.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #208 commit 81e2574e1007db136e0572ba438e08ecd3b7f037 Author: Gancho Tenev Date: 2015-06-01T17:17:40Z TS-3649 Fix for url_sig plugin security issues (crash by HTTP request, circumvent signature). > url_sig plugin security issues (crash by HTTP request, circumvent signature) > > > Key: TS-3649 > URL: https://issues.apache.org/jira/browse/TS-3649 > Project: Traffic Server > Issue Type: Bug > Components: Plugins >Reporter: Gancho Tenev >Assignee: Gancho Tenev > Fix For: 6.0.0 > > Attachments: TS-3649-url_sig-security_issues.patch, > TS-3649-url_sig-security_issues.rtf > > > While reading the code found 2 security issues url_sig code which would allow: > - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP > request (segmentation fault due out-of-bounds array access) - there is a need > of proper sanitation of the key index input (query parameter) > - Issue 2: to gain access to protected assets by signing the URL with an > empty secret key if at least one of the 16 keys is not provided in the > uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and > for the empty key the signature validation would succeed - must deny access > if the key specified in the signature is not defined in the plugin config > (empty). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3649) url_sig plugin security issues (crash by HTTP request, circumvent signature)
[ https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14565696#comment-14565696 ] Phil Sorber commented on TS-3649: - Can you attach your patch too? > url_sig plugin security issues (crash by HTTP request, circumvent signature) > > > Key: TS-3649 > URL: https://issues.apache.org/jira/browse/TS-3649 > Project: Traffic Server > Issue Type: Bug > Components: Plugins >Reporter: Gancho Tenev >Assignee: Gancho Tenev > Fix For: 6.0.0 > > Attachments: TS-3649-url_sig-security_issues.rtf > > > While reading the code found 2 security issues url_sig code which would allow: > - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP > request (segmentation fault due out-of-bounds array access) - there is a need > of proper sanitation of the key index input (query parameter) > - Issue 2: to gain access to protected assets by signing the URL with an > empty secret key if at least one of the 16 keys is not provided in the > uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and > for the empty key the signature validation would succeed - must deny access > if the key specified in the signature is not defined in the plugin config > (empty). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3649) url_sig plugin security issues (crash by HTTP request, circumvent signature)
[ https://issues.apache.org/jira/browse/TS-3649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14565566#comment-14565566 ] Gancho Tenev commented on TS-3649: -- The fix is ready as well. > url_sig plugin security issues (crash by HTTP request, circumvent signature) > > > Key: TS-3649 > URL: https://issues.apache.org/jira/browse/TS-3649 > Project: Traffic Server > Issue Type: Bug > Components: Plugins >Reporter: Gancho Tenev > Attachments: TS-3649-url_sig-security_issues.rtf > > > While reading the code found 2 security issues url_sig code which would allow: > - Issue 1: to crash ATS which is running the url_sig plugin by using an HTTP > request (segmentation fault due out-of-bounds array access) - there is a need > of proper sanitation of the key index input (query parameter) > - Issue 2: to gain access to protected assets by signing the URL with an > empty secret key if at least one of the 16 keys is not provided in the > uri_sig plugin configuration. One could "scan" trying all keys 0 to 15 and > for the empty key the signature validation would succeed - must to deny > access if the key specified in the signature is not defined in the plugin > config (empty). -- This message was sent by Atlassian JIRA (v6.3.4#6332)
