uPortal 2016-11-14 Webproxy Portlet caching vulnerability


This is a public disclosure of a security vulnerability, near the tail end of applying the uPortal Security Incident Response Plan to this issue.

Affected software products:

  • Webproxy Portlet , versions 2.0.0 through 2.2.1 . 2.2.2 includes a fix.

Recent uPortal versions ship with bugged Webproxy Portlet versions.

Problem:

Affected versions

  • By default, cache proxied content, and
  • Require a source code edit to turn off this default behavior, and
  • Improperly compute the cache keys such that in some cases too little information is considered in computing cache keys.

Consequence:

  • Most adopters will not have locally turned off this caching strategy even if it is inappropriate for local usages, and
  • Usages where different users proxy the same backing URL may yield improper cross-user cache hits, with user B seeing content proxied for user A.

Saving graces:

  • For security purposes, this only matters if the proxies are interesting, providing personalized content.
  • Usages with unique URLs, such as where user attributes are conveyed as request parameters in the URL or the initial request in a typical Proxy CAS integration, will not yield improper cache hits.

Solutions:

  • Upgrade to Webproxy Portlet version 2.2.2 or later.
  • Locally modify your Webproxy Portlet 2 implementation to turn off caching, by de-activating or removing CachingHttpContentServiceImpl and instead activating HttpContentServiceImpl.

-Andrew

Related Posts

Easier CLA submission

A new online form supplements prior ways of submitting contributor license agreements.

CAS 5.0.x Integration w/ Apache ZooKeeper

Learn how to have Apache ZooKeeper manage the configuration of CAS 5.0.x

CAS 5.1.0 RC4 Feature Release

...in which I present an overview of CAS 5.1.0 RC4 release.

CAS 5.1.0 RC3 Feature Release

...in which I present an overview of CAS 5.1.0 RC3 release.

CAS 5.0.x Deployment - WAR Overlays

Learn how to configure and build your own CAS deployment via the WAR overlay method, get rich quickly, stay healthy indefinitely and respect family and friends in a few very easy steps.

CAS 5 LDAP AuthN and Jasypt Configuration

Learn how to configure LDAP AuthN with CAS and secure LDAP credentials via Jasypt.

CAS 5 SAML2 Delegated AuthN Tutorial

Learn how to delegate authentication requests to external SAML2 identity providers.

Busting the Myth - GA Release

Musings on the trustworthiness of a general availability (GA) release and its production-readiness calibre in open source.

CAS Vulnerability Disclosure

Disclosure of a security issue with the CAS administrative endpoints exposure.

CAS 5.1.0 RC2 Feature Release

...in which I present an overview of CAS 5.1.0 RC2 release.