uPortal 2016-11-14 Webproxy Portlet caching vulnerability


This is a public disclosure of a security vulnerability, near the tail end of applying the uPortal Security Incident Response Plan to this issue.

Affected software products:

  • Webproxy Portlet , versions 2.0.0 through 2.2.1 . 2.2.2 includes a fix.

Recent uPortal versions ship with bugged Webproxy Portlet versions.

Problem:

Affected versions

  • By default, cache proxied content, and
  • Require a source code edit to turn off this default behavior, and
  • Improperly compute the cache keys such that in some cases too little information is considered in computing cache keys.

Consequence:

  • Most adopters will not have locally turned off this caching strategy even if it is inappropriate for local usages, and
  • Usages where different users proxy the same backing URL may yield improper cross-user cache hits, with user B seeing content proxied for user A.

Saving graces:

  • For security purposes, this only matters if the proxies are interesting, providing personalized content.
  • Usages with unique URLs, such as where user attributes are conveyed as request parameters in the URL or the initial request in a typical Proxy CAS integration, will not yield improper cache hits.

Solutions:

  • Upgrade to Webproxy Portlet version 2.2.2 or later.
  • Locally modify your Webproxy Portlet 2 implementation to turn off caching, by de-activating or removing CachingHttpContentServiceImpl and instead activating HttpContentServiceImpl.

-Andrew

Related Posts

CAS 5.2.0 RC3 Feature Release

...in which I present an overview of CAS 5.2.0 RC3 release.

CAS 5.2.0 RC2 Feature Release

...in which I present an overview of CAS 5.2.0 RC2 release.

July 2017 uPortal Slack summary

Summarizing Slack traffic about uPortal in July 2017.

June 2017 uPortal Slack summary

Summarizing Slack traffic about uPortal in June 2017.

Apereo CAS - Contribution Guidelines

A quick hands-on guide for one to get started with contributing to the development and prosperity of the Apereo CAS project.

CAS 5.2.0 RC1 Feature Release

...in which I present an overview of CAS 5.2.0 RC1 release.

CAS 5 - Maintaining Protocol Compatibility

A short and sweet CAS 5 guide on how to get CAS Protocol v2 to act as v3.

MyUW in 2016 - by the numbers

Reflecting upon MyUW in 2016 as framed by metrics.

CAS Codebase Overview

An overview of the CAS codebase organization and layout in which I also dig into the rationale behind project's efforts on modularization and code decomposition.

CAS 5 Load Tests by Lafayette College

Lafayette College shares the results of stress tests executed against a recent CAS 5.0.x deployment.