Apache Shiro Authentication Bypass Vulnerability in Static Files on Case-Insensitive Filesystems

An authentication bypass vulnerability has been identified in Apache Shiro versions prior to 2.0.7. This issue arises when static files are served from a case-insensitive filesystem, such as the default macOS setup. In such cases, access to static files can be manipulated by varying the case of the filename in the request. If only lowercase filters are applied in Shiro, they may be easily bypassed. Shiro versions 2.0.7 and later include a parameter to address this issue, which can be set in the shiro.ini or application.properties files. Additionally, Shiro 3.0.0 and later will default to this case-insensitive setting.

Impact

Exploitation of this vulnerability allows for authentication bypass when accessing static files on case-insensitive filesystems, potentially leading to unauthorized access to those files.

Remediation

Users are advised to upgrade to Apache Shiro version 2.0.7 or later. For Shiro 2.0.7 and later, the case-insensitive parameter can be set to true in the shiro.ini or application.properties files. Shiro 3.0.0 and later will automatically apply this setting by default.