Portal security related queries

Document ID : KB000008903
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

The ViewDoc component is vulnerable to path traversal, allowing a user reference files outside of the document repository. 

For example: 

https://portal/ViewDoc?path=lrs.sql&tag=./HEAD/../../../datafiles/ 

https://portal/ViewDoc?path=config_portal.sh&tag=./HEAD/../../../datafiles/ 

 

The request returns "500 Error" since the file is not an XML file, and the XSLT transformation fails and no content is returned (mitigating an posible Local File Include vulnerability) 

If, however an XML file is requested, for example : 

https://portal/ViewDoc?path=/images/AISP_171127.wadl&tag=../DATA/HEAD 

https://portal/ViewDoc?path=config.xml&tag=./HEAD/../../ 

The aplication enters an infinite loop (trying to read MetaInfo) resulting in a Stack Overflow (as listed below). 

Since the requests to ViewDoc can be requested without authentication (not sure if this is desired too), it could be used to perform a denial of service attack against the application (response time for this wadl file is 3100ms) 

 

java.lang.StackOverflowError 

at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source) 

at org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown Source) 

at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) 

at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) 

at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) 

at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) 

at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source) 

at com.thelevel.cmsutil.Utils.parseXML(Utils.java:478) 

at com.thelevel.cmsutil.Utils.parseXML(Utils.java:460) 

at com.thelevel.repository.metainfo.MetaInfo.parseXML(MetaInfo.java:846) 

at com.thelevel.repository.metainfo.MetaInfo.updateInternal(MetaInfo.java:809) 

 

Environment:
Portal 3.5
Resolution:

The user needs to apply CR6 and then manually edit /SYSTEM/conf/access_control.xml to add authentication for the /ViewDoc path.

Add the following before the first <SecurityHints> node in the CMS repository document /SYSTEM/conf/access_control.xml and then publish the document.

  <SecurityHints path="/ViewDoc(.*)" locale="(.*)" context="(.*)" loginMode="stealth">           

    <Role name="cmsuser">

      <Action name="view" value="true" /> 

    </Role>

  </SecurityHints>