uPortal 2016-11-14 Webproxy Portlet caching vulnerability


This is a public disclosure of a security vulnerability, near the tail end of applying the uPortal Security Incident Response Plan to this issue.

Affected software products:

  • Webproxy Portlet , versions 2.0.0 through 2.2.1 . 2.2.2 includes a fix.

Recent uPortal versions ship with bugged Webproxy Portlet versions.

Problem:

Affected versions

  • By default, cache proxied content, and
  • Require a source code edit to turn off this default behavior, and
  • Improperly compute the cache keys such that in some cases too little information is considered in computing cache keys.

Consequence:

  • Most adopters will not have locally turned off this caching strategy even if it is inappropriate for local usages, and
  • Usages where different users proxy the same backing URL may yield improper cross-user cache hits, with user B seeing content proxied for user A.

Saving graces:

  • For security purposes, this only matters if the proxies are interesting, providing personalized content.
  • Usages with unique URLs, such as where user attributes are conveyed as request parameters in the URL or the initial request in a typical Proxy CAS integration, will not yield improper cache hits.

Solutions:

  • Upgrade to Webproxy Portlet version 2.2.2 or later.
  • Locally modify your Webproxy Portlet 2 implementation to turn off caching, by de-activating or removing CachingHttpContentServiceImpl and instead activating HttpContentServiceImpl.

-Andrew

Related Posts

CAS 5.2.0 RC1 Feature Release

...in which I present an overview of CAS 5.2.0 RC1 release.

CAS 5 - Maintaining Protocol Compatibility

A short and sweet CAS 5 guide on how to get CAS Protocol v2 to act as v3.

MyUW in 2016 - by the numbers

Reflecting upon MyUW in 2016 as framed by metrics.

CAS Codebase Overview

An overview of the CAS codebase organization and layout in which I also dig into the rationale behind project's efforts on modularization and code decomposition.

CAS 5 Load Tests by Lafayette College

Lafayette College shares the results of stress tests executed against a recent CAS 5.0.x deployment.

Shibbolizing Apereo CAS

Learn about a rather fancy Apereo CAS server deployment, sitting behind the Shibboleth Service Provider.

Easier CLA submission

A new online form supplements prior ways of submitting contributor license agreements.

CAS 5.0.x Integration w/ Apache ZooKeeper

Learn how to have Apache ZooKeeper manage the configuration of CAS 5.0.x

CAS 5.1.0 RC4 Feature Release

...in which I present an overview of CAS 5.1.0 RC4 release.

CAS 5.1.0 RC3 Feature Release

...in which I present an overview of CAS 5.1.0 RC3 release.