Portal security related queries
search cancel

Portal security related queries

book

Article ID: 8903

calendar_today

Updated On:

Products

CA API Developer Portal CA API Gateway

Issue/Introduction

The ViewDoc component is vulnerable to path traversal, allowing a user reference files outside of the document repository. 

For example: 

https://portal/ViewDoc?path=lrs.sql&tag=./HEAD/../../../datafiles/ 

https://portal/ViewDoc?path=config_portal.sh&tag=./HEAD/../../../datafiles/ 

 

The request returns "500 Error" since the file is not an XML file, and the XSLT transformation fails and no content is returned (mitigating an posible Local File Include vulnerability) 

If, however an XML file is requested, for example : 

https://portal/ViewDoc?path=/images/AISP_171127.wadl&tag=../DATA/HEAD 

https://portal/ViewDoc?path=config.xml&tag=./HEAD/../../ 

The aplication enters an infinite loop (trying to read MetaInfo) resulting in a Stack Overflow (as listed below). 

Since the requests to ViewDoc can be requested without authentication (not sure if this is desired too), it could be used to perform a denial of service attack against the application (response time for this wadl file is 3100ms) 

 

java.lang.StackOverflowError 

at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source) 

at org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown Source) 

at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) 

at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) 

at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) 

at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) 

at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source) 

at com.thelevel.cmsutil.Utils.parseXML(Utils.java:478) 

at com.thelevel.cmsutil.Utils.parseXML(Utils.java:460) 

at com.thelevel.repository.metainfo.MetaInfo.parseXML(MetaInfo.java:846) 

at com.thelevel.repository.metainfo.MetaInfo.updateInternal(MetaInfo.java:809) 

 

Environment

Portal 3.5

Resolution

The user needs to apply CR6 and then manually edit /SYSTEM/conf/access_control.xml to add authentication for the /ViewDoc path.

Add the following before the first <SecurityHints> node in the CMS repository document /SYSTEM/conf/access_control.xml and then publish the document.

  <SecurityHints path="/ViewDoc(.*)" locale="(.*)" context="(.*)" loginMode="stealth">           

    <Role name="cmsuser">

      <Action name="view" value="true" /> 

    </Role>

  </SecurityHints>

Powered by Wolken Software