This page is for collecting information about and patches to address the CWebProxy arbitrary request parameters exploit.
the jasig-announce announcement
This notice is to update everyone on the CWebProxy vulnerability first identified September 28, 2005.
The next day, a patch was provided to the development list and a JIRA issue was opened to track the problem.
The final solution was refined over the next two weeks and included a patch to CWebProxy as well as CGenericXSLT channels. In summary, URIs are inspected for a valid list of protocols (default http: and https
. More details are provided in the JIRA issue and in the development list archive.
On October 19, 2005, uPortal 2.5.1 was made available and included the final solution to this vulnerability. On October 28, 2005, a uPortal 2.4.3.1 security release was also made available with this solution.
All uPortal installations are strongly encouraged to either upgrade to one of these releases or apply local patches that address this vulnerability.
Dan
File modifications:
portal/source/org/jasig/portal/channels/CGenericXSLT.java
portal/source/org/jasig/portal/channels/webproxy/CWebProxy.java
portal/source/org/jasig/portal/utils/uri/PrefixUriScrutinizer.java
portal/source/org/jasig/portal/utils/uri/IUriScrutinizer.java
portal/source/org/jasig/portal/utils/uri/BlockedUriException.java
portal/webpages/media/org/jasig/portal/channels/webproxy/CWebProxy.cpd
portal/webpages/media/org/jasig/portal/channels/CGenericXSLT/RSS/RSS.cpd
portal/webpages/media/org/jasig/portal/channels/CGenericXSLT/CGenericXSLT.cpd portal/webpages/media/org/jasig/portal/channels/CGenericXSLT/CGenericJustXSLT.cpd
