3.0.1 security fix

Owned by Eric Dalquist
Last updated: Jun 17, 2008Version comment
2 min read

Status of this vulnerability

This is a verified vulnerability. This page exists to document how to patch to close this vulnerability in your local uPortal 3.0.0 environment.

The uPortal 3.0.1 release will include this patch alongside other fixes and enhancements.

Vulnerability in a Nutshell

uPortal 3.0.0 and earlier ships with an HttpProxyServlet implementation that is broken in that it will proxy non-image content. This can result in an illicit proxy through the deployed uPortal that constitutes a serious security vulnerability, potentially making cross-site-scripting attacks including session stealing feasible.

It is important that all uPortal deployments remedy this vulnerability in their local environment.

Technical details of vulnerability

This vulnerability is documented as Jira issue UP-2088

How to remedy this vulnerability

If you're not using the HttpProxyServlet

Comment out or delete outright this servlet's declaration and configuration in your uPortal web.xml and restart Tomcat to remove it from the environment. Ensure that your local web.xml continues to not include this servlet across future deployments (i.e., also fix this in your local source if you might ever re-deploy your uPortal using the build process).

The Jira entry for this issue has an attached patch making this change.

Here's what the relevant portions of your web.xml end up looking like:

Commenting out proxy servlet in web.xml
  <servlet>
    <servlet-name>Logout</servlet-name>
    <servlet-class>org.jasig.portal.LogoutServlet</servlet-class>
    <load-on-startup>3</load-on-startup>
  </servlet>

<!-- Uncomment this servlet and the corresponding servlet-mapping if ProxyWriter is enabled in portal.properties
  <servlet>
    <servlet-name>HttpProxyServlet</servlet-name>
    <servlet-class>org.jasig.portal.HttpProxyServlet</servlet-class>
  </servlet>
  -->  

...

  <servlet-mapping>
    <servlet-name>Logout</servlet-name>
    <url-pattern>/Logout</url-pattern>
  </servlet-mapping>

<!-- Uncomment this servlet-mapping and the corresponding servlet if ProxyWriter is enabled in portal.properties
  <servlet-mapping>
    <servlet-name>HttpProxyServlet</servlet-name>
    <url-pattern>/servlet/ProxyServlet/*</url-pattern>
  </servlet-mapping>
-->

A web.xml with the servlet declaration and mapping commented out is also attached to this page.

Removing this servlet from service in your portal environment is sufficient to block this vulnerability. However, if you may wish to use the servlet in the future, you may wish to also fix the HttpProxyServlet Java class as discussed below.

If you are using HttpProxyServlet

A simple code fix to HttpProxyServlet.java will block this vulnerability. (It's a matter of fixing HttpProxyServlet to have the code execution path it was intended to have. This patch fixes an unfortunate bug.)

The Jira entry for this issue has an attached patch which shows how to fix HttpProxyServlet.java. HttpProxyServlet is also fixed in the tip of the Subversion source control for the uPortal 3.0 branch.

You will need to run ant deploy-war after applying the patch to deploy the updated files to your uPortal instance.