On Thu, 2007-08-30 at 14:36 -0600, Chris Hubick chrish-at-athabascau.ca |JASIG-List-2| wrote: > Hi, > > uPortal ships an HttpProxyServlet which is enabled by default. > > This servlet accepts requests of the form '/host/url' and will relay > information from *any* host named in the request, including query > string. > > The only security I see is to check that the requests 'Referer' header > is that of the portal. This is trivial to subvert, as HTTP headers are > easy to forge ( http://livehttpheaders.mozdev.org/ ). > > This means that anyone who can connect to this servlet (normally the > whole world) is capable of requesting any document from any machine > which the uPortal machine can itself access (possibly including machines > on your intranet or behind your firewall). This could be used to > retrieve sensitive information or forward requests containing any number > of remote exploit attempts. > > Or am I missing something?
Hello Chris, You aren't missing much... It's not really too secure. There is one more check you don't mention though: Besides checking the Referer header, org.jasig.portal.HttpProxyServlet will return 404 error if you don't have a session already established on the server. Do you have any method to limit proxying in content without manually white listing sites to proxy? -Brad > > -- > Chris Hubick > mailto:[EMAIL PROTECTED] > > > > __ > This communication is intended for the use of the recipient to whom it > is addressed, and may contain confidential, personal, and or privileged > information. Please contact us immediately if you are not the intended > recipient of this communication, and do not copy, distribute, or take > action relying on it. Any communications received in error, or > subsequent reply, should be deleted or destroyed. > --- > -- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/uportal-dev
