Vulnerability in Portal's Portlet Repository

Creation Date: 29-OCT-2002
Last Revision Date: 29-OCT-2002

Description

A potential security vulnerability has been discovered in the portal technology in Oracle9i Application Server. The vulnerability pertains to portal pages and content areas featured in Oracle9i Application Server that are configured to be publicly accessible by default. The Portlet Repository, which provides access to a preview mode of the portlets in all registered providers, is represented as a Content Area (in Version 3.0.9) or a Page Group (in Version 9.0.2) that is publicly accessible. As such, if the portlet provider implementation does not implement authorization checks of its own, then an unauthenticated, malicious and knowledgeable user would be able to browse potentially sensitive information that may be exposed in such portlets.

Products Affected

Oracle9i Application Server up to and including 9.0.2.

Platforms Affected

All

Workarounds

The workaround to this vulnerability is to disable public access to the pages and folders of concern using the design-time screens for granting access to the appropriate pages and folders.

Oracle9i Application Server: Portal Releases 3.0.9.x

In order to secure access to certain pages that are publicly accessible by default, login to Portal as an administrative user with the privilege to manage all pages and content areas, and remove public access permissions from the following pages:
Oracle Portal Homepage (HOMEPAGE)
Oracle Portal Navigator (NAVIGATOR)
Search Results Page (SEARCHRESULTS)
Oracle Reports Security (ORACLE_REPORTS_SECURITY)

To secure the pages,

  • Use the Portal Navigator to view the list of Content Areas on the Content Areas tab.
  • Click on "Edit Root Page" of the appropriate content area,
  • Click on the "Access" tab.
  • Add the group AUTHENTICATED_USERS to the access list under Change Access, giving this group VIEW privilege.
  • Remove the check mark from the option, "Make Public."
  • Select "Add Privileges to all pages" and click on "Cascade Privileges" to easily propagate this change in privileges to the pages of the content area.


Secure the folders in the following Content Areas:
Monitor
Portlet Repository

To secure the folders,

  • Use the Portal Navigator to view the list of Content Areas on the Content Areas tab.
  • Click on "Edit Root Folder" of the appropriate content area,
  • Click on the "Access" tab.
  • Add the group AUTHENTICATED_USERS to the access list under Change Access, giving this group VIEW privilege.
  • Remove the check mark from the option, "Make Public."
  • Select "Add Privileges to all subfolders" and click on "Cascade Privileges" to easily propagate this change in privileges to the subfolders of the content area.


Oracle9i Application Server Release 9.0.2

In order to secure access to certain pages that are publicly accessible by default, login to the Portal as an administrative user with the privilege to manage all page groups, and remove public access permissions from the following pages:
Portal Design-Time Pages
Portlet Repository

To secure the pages, use the Portal Navigator to view the list of Page Groups under the Page Groups tab. Click on "Edit Root Page" of the appropriate Page Group, and click on the Page: Access link. Add the group AUTHENTICATED_USERS to the access list under Change Access, giving this group View privilege. Remove the check mark from the option, "Display Page To Public Users."

Use the Portal Navigator to view the list of Page Groups under the Page Groups tab. Click on "Contents" beside the Page Group of interest. Then, click on "Bulk Action" on the Pages row. Click on the checkbox in the header to select all pages and select "Grant Access" from the action LOV and click "Go." A Bulk Action Grant Access screen will be displayed. Select "Add to Existing Privileges", and grant the AUTHENTICATED_USERS group the View privilege. Back on the Bulk Action screen, select "Make Private" from the action LOV, and click "Go" to remove public access from the pages. Repeat these steps for additional pages of the Bulk Action screen, if all the list of pages in the Page Group did not fit on one page of the Bulk Action screen.

Note:

Portlets need to implement their own authorization logic too. Restricting access to the Portlet Repository by making the folders or pages inaccessible to the public is not necessary if the portlets themselves are implemented with the appropriate access restrictions. The built-in portlets have this access restriction logic built-in. For customer-written providers, it is necessary to follow the guidelines on securing portlets if the portlet contains any security-sensitive information. Please see the following article on Portal Studio that addresses how to secure portlets. Also see the other information on security in the Oracle9i Application Server Portal Developer Kit (PDK).

Primer on Portlet Security:
http://portalstudio.oracle.com/pls/ops/docs/FOLDER/COMMUNITY/PDK/ARTICLES/PRIMER.PORTLET.SECURITY.HTML

Patch Information

i