Skip to content

Instantly share code, notes, and snippets.

@apetro

apetro/apereo.github.io.md Secret

Last active November 10, 2016 20:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save apetro/bc5535b018453b21878f1e90bb93ae17 to your computer and use it in GitHub Desktop.
Save apetro/bc5535b018453b21878f1e90bb93ae17 to your computer and use it in GitHub Desktop.
Download ZIP
WPP-101 supporting materials
Raw
apereo.github.io.md

Blog entry for posting to apereo.github.io:

uPortal community,

This is a public disclosure of a security vulnerability, near the tail end of applying the uPortal Security Incident Response Plan to this issue.

Affected software products:

  • Webproxy Portlet , versions 2.0.0 through 2.2.1 . 2.2.2 includes a fix.

Recent uPortal versions ship with bugged Webproxy Portlet versions.

Problem:

Affected versions

  • By default, cache proxied content, and
  • Require a source code edit to turn off this default behavior, and
  • Improperly compute the cache keys such that in some cases too little information is considered in computing cache keys.

Consequence:

  • Most adopters will not have locally turned off this caching strategy even if it is inappropriate for local usages, and
  • Usages where different users proxy the same backing URL may yield improper cross-user cache hits, with user B seeing content proxied for user A.

Saving graces:

  • For security purposes, this only matters if the proxies are interesting, providing personalized content.
  • Usages with unique URLs, such as where user attributes are conveyed as request parameters in the URL or the initial request in a typical Proxy CAS integration, will not yield improper cache hits.

Solutions:

  • Upgrade to Webproxy Portlet version 2.2.2 or later.
  • Locally modify your Webproxy Portlet 2 implementation to turn off caching, by de-activating or removing CachingHttpContentServiceImpl and instead activating HttpContentServiceImpl.

-Andrew

Raw
uportal-dev.md

Email for posting to uportal-dev@:

Subject: Webproxy Portlet v2.2.2 removes bugged caching feature

uPortal developers,

Webproxy Portlet 2 versions prior to 2.2.2 had overzealous caching, with security vulnerability implications.

Version 2.2.2 addresses this issue by simply removing the caching feature.

Addressing the vulnerability quickly and simply in this way creates the opportunity to collaborate on implementing more nuanced caching, or to collaboratively realize that the feature is not yet needed.

See also

Kind regards,

Andrew

Raw
uportal-user.md

Email for posting to uportal-user@:

Subject: Vulnerability notification: WPP-101 Webproxy Portlet caching

uPortal community,

This is a public disclosure of a security vulnerability, near the tail end of applying the uPortal Security Incident Response Plan to this issue.

Webproxy Portlet , versions 2.0.0 through 2.2.1, are affected . 2.2.2 includes a fix.

Recent uPortal versions ship with bugged Webproxy Portlet versions.

See apereo.github.io post for details.

Kind regards,

Andrew

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment