uPortal 2016-11-14 Webproxy Portlet caching vulnerability


This is a public disclosure of a security vulnerability, near the tail end of applying the uPortal Security Incident Response Plan to this issue.

Affected software products:

  • Webproxy Portlet , versions 2.0.0 through 2.2.1 . 2.2.2 includes a fix.

Recent uPortal versions ship with bugged Webproxy Portlet versions.

Problem:

Affected versions

  • By default, cache proxied content, and
  • Require a source code edit to turn off this default behavior, and
  • Improperly compute the cache keys such that in some cases too little information is considered in computing cache keys.

Consequence:

  • Most adopters will not have locally turned off this caching strategy even if it is inappropriate for local usages, and
  • Usages where different users proxy the same backing URL may yield improper cross-user cache hits, with user B seeing content proxied for user A.

Saving graces:

  • For security purposes, this only matters if the proxies are interesting, providing personalized content.
  • Usages with unique URLs, such as where user attributes are conveyed as request parameters in the URL or the initial request in a typical Proxy CAS integration, will not yield improper cache hits.

Solutions:

  • Upgrade to Webproxy Portlet version 2.2.2 or later.
  • Locally modify your Webproxy Portlet 2 implementation to turn off caching, by de-activating or removing CachingHttpContentServiceImpl and instead activating HttpContentServiceImpl.

-Andrew

Related Posts

CAS 5.1.0 RC2 Feature Release

...in which I present an overview of CAS 5.1.0 RC2 release.

Intro To CAS Auto Configuration Strategy

A short and painless introduction into how CAS uses Spring Boot to tickle the runtime conditionally.

On The Theory of Possibility

Musings on the definition of Possibility and strategies one may use to empower friends, family and colleagues in open source.

Design CAS-Enabled Custom Protocols

Learn how to design and mass-promote your very own custom authentication protocol, get rich quickly, stay healthy indefinitely and reach a new state of enlightenment in a few very easy steps.

Design Authentication Handlers in CAS 5.1.x

Learn and master writing custom authentication handlers/schemes in CAS 5.1.x

Guy walks into an Auto Shop

A true story inspired by real events. Seriously. Bryan Cranston has been approached for the role of the "Guy".

MyUW in 2016

Looking back on MyUW progress in 2016.

CAS 5.1.0 RC1 Feature Release

...in which I present an overview of CAS 5.1.0 RC1 release.

MyUW 2016-10-25 release

A modest MyUW release

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS administrative endpoints exposure.