...
Objet | Vulnérabilité dans uPortal |
Référence | ESUP-2007-AVI-003 |
Date de la première version | 25 juillet 2007 |
Date de la dernière version | 16 octobre 2007 |
Source | liste de diffusion jasig-members du consortium JASIG |
Diffusion de cette version | Publique |
Historique |
|
Pièces jointes |
...
Un pirate peut introduire du code Javascript arbitraire dans le rendu de uPortal s'il fait ouvrir par le
navigateur client une URL du portail malicieusement construite. Les possibilités d'attaque par le code
Javascript incluent notamment la capture de l'identifiant de session, autorisant alors l'usurpation de
l'identité de l'utilisateur.
...
- Installer les classes du correctif ESUP-2007-AVI-003-COR.zip dans les sources de uPortal. Le correctif peut être téléchargé depuis le site web du consortium ESUP-Portail (http://www.esupportail.org)
- Positionner la propriété
org.jasig.portal.serialize.ProxyWriter.resource_proxy_enabled du fichier portal.properties à off. - Commenter ou supprimer la servlet HttpProxyServlet dans le fichier WEB-INF/web.xml
- Redéployer uPortal
- Redémarrer Tomcat
...
Description: when uPortal serializes its response to the browser it passes the response through a filter (org.jasig.portal.serialize.ProxyWriter) which inserts additional URL path elements as configured by the property, org.jasig.portal.serialize.ProxyWriter.resource_proxy_rewrite_prefix. In the past the ProxyWriter class operated on 6 elements: "image","img","script","input","applet","iframe".
The patched version will operate on three element types only: image, img and input. Although it may be convenient to proxy other elements to avoid the mixed content message, this vulnerability response opts for a simpler approach of avoiding entirely these other types of content proxying.
This change comports the proxy writer behavior with the now-more-restricted scope of the HttpProxy
servlet -- this change to ProxyWriter does not itself secure anything, as the nature of the exploit is to
generate proxy servlet instructions by means other than the proxy writer.
...
Summary: HttpProxyServlet will respond with an error code (404) and no content for all objects that do not have a
MIME type that begins with: "image".
Description: this internal proxy handles requests for the proxied embedded content as the browser renders the
response. Previously, the proxy servlet would proxy most anything. With this change, the proxy servlet will
proxy only images. Returning only elements with proper mime type of image the browser is able to protect
itself from illicitly proxied scripts -- in order for the servlet to proxy, the content must appear to have a mime
type of "image", which will discourage the web browser from executing the content.
...
Replace HttpProxyServlet.java and ProxyWriter.java in your local uPortal source tree with the
attached files. Rebuild and re-deploy your uPortal. Rebuilding your uPortal class files with this updated
source is the recommended way to address this exploit in your local uPortal environment.
...
Replace HttpProxyServlet.class and ProxyWriter.class with the attached .class files intended
for use in uPortal 2.5.x. When using this approach, you'll need to also fix the issue in your local build
environment (e.g. by replacing the .java files as described previously) so that when you perform a new
build, the exploit remains fixed.
...
If you applied a previous patch for this issue, you will first need to undo the steps you performed in applying
that patch before applying these steps and this patch.