Our in-house nessus security scans picks up a “medium” vulnerability identified through existence of Apache Shiro as it detected port 9090. We are running Openfire 3.82 and of course its management page runs over port 9090. Does Openfire make use of or run Apache Shiro?
Here is a copy of the what is reported in the scan:
Plugin Text: Synopsis: The remote web server appears to use a security framework that is affected by an information disclosure vulnerability.
Description: The remote web server appears to be using a version of the Shiro open source security framework that that does not properly normalize
URI paths before comparing them to entries in the framework’s ‘shiro.ini’ file.
A remote attacker can leverage this issue to bypass authentication, authorization, or other types of security restrictions via specially crafted requests.
Solution: Upgrade to Shiro 1.1.0 or later.
See Also: http://archives.neohapsis.com/archives/bugtraq/2010-11/0046.html
CVSS Base Score: 5.0
CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Temporal Score: 4.1
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:ND
Plugin Output:
Nessus was able to exploit this issue to bypass authentication and
gain access to a page using the following URL :
http://myserver.mycompany.com:9090/./style/
Note that Nessus has not actually verified that a vulnerable
version of Shiro is in use but only inferred that one is based on
the use of a published exploit to bypass authentication.
Can anyone else emulate this? Are we jsut picking up a false positive?
Thanks!