|
If you were logged in you would be able to see more operations.
|
|
|
uPortal
Created: 18/Jun/07 02:58 PM
Updated: 22/Jun/07 03:37 PM
|
|
| Component/s: |
Authentication,
Authorization
|
| Affects Version/s: |
2.1.1,
2.1.2,
2.1.4,
2.1.3,
2.1,
2.1.5,
2.2,
2.2.1,
2.3,
2.3.1,
2.3.2,
2.3.3,
2.3.4,
2.3.5,
2.4,
2.4.1,
2.4.2,
2.5.0 M1,
2.5.1 RC1,
2.5.0 RC1,
2.5.0 RC3,
2.5.0 RC2,
2.5.0 GA,
2.5.1 RC2,
2.5.2 RC1,
2.4.4,
2.4.3,
2.5.1 RC3,
2.5.1 GA,
2.4.3.1,
2.5.3 RC1,
2.5.2 GA,
2.5.3 RC2,
2.5.3 RC3,
2.5.3 GA
|
| Fix Version/s: |
2.5.4,
2.5.3.1
|
|
|
Original Estimate:
|
Unknown
|
Remaining Estimate:
|
Unknown
|
Time Spent:
|
Unknown
|
|
File Attachments:
|
1.
remoteuser.patch (2 kb)
|
|
Issue Links:
|
Duplicate
|
|
This issue duplicates:
|
|
UP-1723
RemoteUserSecurityContext exploit
|
|
|
|
|
|
|
|
*Summary:*
RemoteUserSecurityContext may allow an authenticated user to
authenticate as another user knowing only that user's account name. A
patch for this vulnerability is attached to this message.
*Issue:*
The vulnerability is exposed when the RemoteUserSecurityContextFactory
is used in conjunction with another security context factory under the
UnionSecurityContextFactory. The result of this configuration is any
user that can access uPortal with REMOTE_USER set can become any other
portal user.
If authentication is attempted with the other security context the
provided user id will be set on the principal, when the
RemoteUserSecurityContext executes it attempts to set the user id of the
principal to the REMOTE_USER and returns that the principal is
authenticated. Since the principal already has a user id set the setting
by RemoteUserSecurityContext fails silently, resulting in an
authenticated principal with the user id provided by the attacker, not
the value specified in the REMOTE_USER field.
An example vulnerable configuration from security.properties:
root=org.jasig.portal.security.provider.UnionSecurityContextFactory
root.a=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory
root.b=org.jasig.portal.security.provider.SimpleSecurityContextFactory
*Versions Affected:*
All (2.0, 2.1, 2.2, 2.3, 2.4, 2.5)
|
|
Description
|
*Summary:*
RemoteUserSecurityContext may allow an authenticated user to
authenticate as another user knowing only that user's account name. A
patch for this vulnerability is attached to this message.
*Issue:*
The vulnerability is exposed when the RemoteUserSecurityContextFactory
is used in conjunction with another security context factory under the
UnionSecurityContextFactory. The result of this configuration is any
user that can access uPortal with REMOTE_USER set can become any other
portal user.
If authentication is attempted with the other security context the
provided user id will be set on the principal, when the
RemoteUserSecurityContext executes it attempts to set the user id of the
principal to the REMOTE_USER and returns that the principal is
authenticated. Since the principal already has a user id set the setting
by RemoteUserSecurityContext fails silently, resulting in an
authenticated principal with the user id provided by the attacker, not
the value specified in the REMOTE_USER field.
An example vulnerable configuration from security.properties:
root=org.jasig.portal.security.provider.UnionSecurityContextFactory
root.a=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory
root.b=org.jasig.portal.security.provider.SimpleSecurityContextFactory
*Versions Affected:*
All (2.0, 2.1, 2.2, 2.3, 2.4, 2.5)
|
Show » |
|
Bug
The resolution involves adding a check to RemoteUserSecurityContext to
verify the setting of the REMOTE_USER user id was successful for the
principal. If it was not the RemoteUserSecurityContext will not mark the
principal as authenticated.
Patching:
The attached patch should be applied to the file
/uPortal/source/org/jasig/portal/security/provider/RemoteUserSecurityContext.java
After application of the patch compile and deploy the file to the
application server.