first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
shiro/CVE-2010-3863/1.png
Normal file
BIN
shiro/CVE-2010-3863/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 153 KiB |
BIN
shiro/CVE-2010-3863/2.png
Normal file
BIN
shiro/CVE-2010-3863/2.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 222 KiB |
33
shiro/CVE-2010-3863/README.md
Normal file
33
shiro/CVE-2010-3863/README.md
Normal file
@@ -0,0 +1,33 @@
|
||||
# Apache Shiro Authentication Bypass Vulnerability (CVE-2010-3863)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
|
||||
|
||||
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the `/./`, `/../`, `/`, `//` URI.
|
||||
|
||||
References:
|
||||
|
||||
- <https://github.com/apache/shiro/commit/ab8294940a19743583d91f0c7e29b405d197cc34>
|
||||
- <https://xz.aliyun.com/t/11633#toc-2>
|
||||
- <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3863>
|
||||
|
||||
## Vulnerable Environment
|
||||
|
||||
Start an application with Spring and Shiro 1.0.0 by executing the following command.
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
Once the environment is started, visit ``http://your-ip:8080`` to see the home page.
|
||||
|
||||
## Vulnerability Reproduce
|
||||
|
||||
A direct request to the admin page `/admin` is inaccessible and will be redirected to the login page.
|
||||
|
||||
|
||||
|
||||
Construct a malicious request `/./admin` to bypass authentication checks and access the admin page.
|
||||
|
||||
|
||||
31
shiro/CVE-2010-3863/README.zh-cn.md
Normal file
31
shiro/CVE-2010-3863/README.zh-cn.md
Normal file
@@ -0,0 +1,31 @@
|
||||
# Apache Shiro 认证绕过漏洞(CVE-2010-3863)
|
||||
|
||||
Apache Shiro是一款开源安全框架,提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用,同时也能提供健壮的安全性。
|
||||
|
||||
在Apache Shiro 1.1.0以前的版本中,shiro 进行权限验证前未对url 做标准化处理,攻击者可以构造`/`、`//`、`/./`、`/../` 等绕过权限验证
|
||||
|
||||
参考链接:
|
||||
|
||||
- <https://github.com/apache/shiro/commit/ab8294940a19743583d91f0c7e29b405d197cc34>
|
||||
- <https://xz.aliyun.com/t/11633#toc-2>
|
||||
- <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3863>
|
||||
|
||||
## 环境搭建
|
||||
|
||||
执行如下命令启动一个搭载Shiro 1.0.0的应用:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
环境启动后,访问`http://your-ip:8080`即可查看首页。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
直接请求管理页面`/admin`,无法访问,将会被重定向到登录页面:
|
||||
|
||||
|
||||
|
||||
构造恶意请求`/./admin`,即可绕过权限校验,访问到管理页面:
|
||||
|
||||
|
||||
5
shiro/CVE-2010-3863/docker-compose.yml
Normal file
5
shiro/CVE-2010-3863/docker-compose.yml
Normal file
@@ -0,0 +1,5 @@
|
||||
services:
|
||||
web:
|
||||
image: vulhub/shiro:1.0.0
|
||||
ports:
|
||||
- "8080:8080"
|
||||
Reference in New Issue
Block a user