uPortal 2016-11-14 Webproxy Portlet caching vulnerability


This is a public disclosure of a security vulnerability, near the tail end of applying the uPortal Security Incident Response Plan to this issue.

Affected software products:

  • Webproxy Portlet , versions 2.0.0 through 2.2.1 . 2.2.2 includes a fix.

Recent uPortal versions ship with bugged Webproxy Portlet versions.

Problem:

Affected versions

  • By default, cache proxied content, and
  • Require a source code edit to turn off this default behavior, and
  • Improperly compute the cache keys such that in some cases too little information is considered in computing cache keys.

Consequence:

  • Most adopters will not have locally turned off this caching strategy even if it is inappropriate for local usages, and
  • Usages where different users proxy the same backing URL may yield improper cross-user cache hits, with user B seeing content proxied for user A.

Saving graces:

  • For security purposes, this only matters if the proxies are interesting, providing personalized content.
  • Usages with unique URLs, such as where user attributes are conveyed as request parameters in the URL or the initial request in a typical Proxy CAS integration, will not yield improper cache hits.

Solutions:

  • Upgrade to Webproxy Portlet version 2.2.2 or later.
  • Locally modify your Webproxy Portlet 2 implementation to turn off caching, by de-activating or removing CachingHttpContentServiceImpl and instead activating HttpContentServiceImpl.

-Andrew

Related Posts

CAS 6.0.0 RC3 Feature Release

...in which I present an overview of CAS 6.0.0 RC3 release.

CAS 6.0.0 RC2 Feature Release

...in which I present an overview of CAS 6.0.0 RC2 release.

Apereo CAS - dotCMS SAML2 Integration

Learn how to integrate dotCMS, a Content Management System and Headless CMS, with Apereo CAS running as a SAML2 identity provider.

Effective Software Troubleshooting Tactics

A collection of what hopefully are obvious troubleshooting tactics when it comes to diagnosing software deployment issues and configuration problems.

Apereo CAS - MaxMind Geo2IP ISP Integration

Learn how you may determine the Internet Service Provider, organization name, and autonomous system organization and number associated with the user's IP address in CAS using MaxMind services and present warnings in the authentication flow for the end-user if an IP address is matched.

Notes from Better by Design 2018

Be interested in humans and human success.

Apereo CAS - Authentication Lifecycle Phases

Tap into the Apereo CAS authentication engine from outside, and design extensions that prevent an unsuccessful authentication attempt or warn the user after-the-fact based on specific policies of your choosing.

CAS 6.0.0 RC1 Feature Release

...in which I present an overview of CAS 6.0.0 RC1 release.

Apereo CAS Delegated Authentication with ADFS

Learn how your Apereo CAS deployment may be configured to delegate authentication to Microsoft ADFS.

Apereo CAS Swag with Swagger

Enable Swagger integration with your Apereo CAS APIs.