This is a public disclosure of a security vulnerability, near the tail end of applying the uPortal Security Incident Response Plan to this issue.
Affected software products:
- Webproxy Portlet , versions
2.2.2includes a fix.
Recent uPortal versions ship with bugged Webproxy Portlet versions.
- By default, cache proxied content, and
- Require a source code edit to turn off this default behavior, and
- Improperly compute the cache keys such that in some cases too little information is considered in computing cache keys.
- Most adopters will not have locally turned off this caching strategy even if it is inappropriate for local usages, and
- Usages where different users proxy the same backing URL may yield improper cross-user cache hits, with user B seeing content proxied for user A.
- For security purposes, this only matters if the proxies are interesting, providing personalized content.
- Usages with unique URLs, such as where user attributes are conveyed as request parameters in the URL or the initial request in a typical Proxy CAS integration, will not yield improper cache hits.
- Upgrade to Webproxy Portlet version
- Locally modify your Webproxy Portlet 2 implementation to turn off caching, by de-activating or removing
CachingHttpContentServiceImpland instead activating