[CVE-2020-1957] In conjunction with the spring shiro authentication bypass vulnerability analysis

0x00 vulnerability Profile

https://www.openwall.com/lists/oss-security/2020/03/23/2

 

0x01 Vulnerability Analysis

Checked the official commit, in the commit  https://github.com/apache/shiro/commit/9762f97926ba99ac0d958e088cae3be8b657948d  find relevant information

 

 

 Generally understood as the Spring web on match url will be fault-tolerant redundant back /, and shiro not match the lead bypassed pull request submitted by the people tomsun28

 

0x02 vulnerabilities environment to build

Use springboot + shiro build a simple demo, with reference to the code https://segmentfault.com/a/1190000019440231 (integrated manner using java native)

Which shiro using version 1.4.0

Configuring a filter url "/ test / secret" in the shiro-config, the need to log in to access this url

 

 LoginController configure the following code for returning a message that requires authentication

1 @GetMapping("/test/secret")
2     public String secret(){
3         return "secret";
4     }

Direct access / test / secret, jump to the login page

 

 Access / test / secret /, returned secret

 

 

The official is also very simple to fix the back of the url / also taken into account the re-match

By the way, use maven pull when the package was found version 1.5.1 source code had been repaired, and 1.5.0,1.4.2 source but can not pull

 

0x03 summary

Personally think that this vulnerability actual situation is more tasteless, the authentication control all the time should not need to log in to write, and finally to a full range of matching, as follows:

 

 

Such a problem does not exist

I limited technology, if further understanding wrong with hope