[Stripes-dev] [JIRA] Commented: (STS-918) All parameters encrypted/decrypted with the same secret

Fri, 16 May 2014 10:40:28 -0700 

    [ 
http://www.stripesframework.org/jira/browse/STS-918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13076#comment-13076
 ] 

Xiaoyong Wu commented on STS-918:
---------------------------------

I am still considering this as a security issue. Let's assume we have a 
password field that repopulates user password in encrypted format. In that 
case, the attacker would have control over the encryption and generate forward 
point he wants. Now, he can try a password as "/WEB-INF/web.xml" which in most 
cases are not accessible from the server and get an encrypted format 
"BASE64_ENCRYPTED_WEBXML" and pass that in for "_sourcePage". The 
getSourcePageResolution() would be happy to forward the request and the 
attacker has access to the web.xml.


> All parameters encrypted/decrypted with the same secret
> -------------------------------------------------------
>
>                 Key: STS-918
>                 URL: http://www.stripesframework.org/jira/browse/STS-918
>             Project: Stripes
>          Issue Type: Bug
>            Reporter: Xiaoyong Wu
>
> Hi,
> I have been looking at the stripes framework and specifically on CryptoUtil 
> class usage. It looks to me that all the parameters as encrypted/decrypted 
> with the same secret, such as "s:password" repopulation, "__fp", 
> "_sourcePage" internal parameters. Depending on implementation details on 
> different sites, this makes the sites vulnerable to replay attack, such as 
> copying encrypted password to "__fp", copying a known redirect resolution 
> page to "_sourcePage" and etc.
> It would be great if the framework can use different secrets derived from the 
> configured one and use with different parameters, fields and other different 
> intentions
> -Xiaoyong

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development

Reply via email to