Perfree Go-Fastdfs-Web Hardcoded Apache Shiro Cipher Key Vulnerability

A critical vulnerability exists in Perfree Go-Fastdfs-Web versions through 1.3.7, related to the Apache Shiro RememberMe functionality. The issue arises from a hardcoded AES encryption key in the ShiroConfig.java file, specifically within the rememberMeManager function. This vulnerability allows unauthenticated remote attackers to create malicious serialized objects, encrypt them with the known key, and execute remote code on the affected server.

Impact

Exploitation of this vulnerability allows for remote code execution on the target server.

Reproduction

To reproduce this vulnerability, an attacker can craft a serialized object and encrypt it using the hardcoded AES key. This encrypted object can then be sent to the server, where the application will deserialize it, leading to remote code execution.