Hi all, apologies if this isn’t the most appropriate place to discuss.
A customer ran a security scan against the GeoFence community module in GeoServer and found 4 Medium priority vulnerabilities in the module, related to potentially storing passwords in heap/memory. After looking at the scan results, the findings were isolated to just
/src/community/geofence/src/main/java/org/geoserver/geoserver/auth entication/filter/GeoFenceAuthFilter.java
Upon further investigation, I found that all of the findings were contained inside 2 methods, both of which are private. The doAuth() method does not appear to be called anywhere in the class, and the getBasicAuth() method is only called from within the doAuth() method. I don’t really know the GeoFence module well, but it would seem that these 2 methods could simply be removed from the code.
I have a PR here:
https://github.com/geoserver/geoserver/pull/2791
If I have overlooked something, I would appreciate any comments or feedback.
Many thanks,
Erik Merkle
Software Engineer | Boundless
This is very much NOT an appropriate place to discuss. As per our Responsible Disclosure Policy, all discussion of any security vulnerability should be by private email to the PSC or individual developers.
Torben
···
On Thu, Mar 8, 2018 at 12:36 PM, Erik Merkle <emerkle@anonymised.com> wrote:
Hi all, apologies if this isn’t the most appropriate place to discuss.
A customer ran a security scan against the GeoFence community module in GeoServer and found 4 Medium priority vulnerabilities in the module, related to potentially storing passwords in heap/memory. After looking at the scan results, the findings were isolated to just
/src/community/geofence/src/main/java/org/geoserver/geoserver/auth entication/filter/GeoFenceAuthFilter.java
Upon further investigation, I found that all of the findings were contained inside 2 methods, both of which are private. The doAuth() method does not appear to be called anywhere in the class, and the getBasicAuth() method is only called from within the doAuth() method. I don’t really know the GeoFence module well, but it would seem that these 2 methods could simply be removed from the code.
I have a PR here:
https://github.com/geoserver/geoserver/pull/2791
If I have overlooked something, I would appreciate any comments or feedback.
Many thanks,
Erik Merkle
Software Engineer | Boundless
Check out the vibrant tech community on one of the world’s most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Geoserver-devel mailing list
Geoserver-devel@anonymised.com.366…sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel