SUPPORT

Select Your Region

Visit the Cary, NC, US corporate headquarters site

Americas

Europe

Middle East & Africa

Asia Pacific

View our worldwide contacts list for help finding your region

Americas

Europe

Middle East & Africa

Asia Pacific

Sign In

Get access to My SAS, trials, communities and more.

Sign Out

Get access to My SAS, trials, communities and more.

SAS Sites

sas.com
Support
Blogs
Communities
Developer
Curiosity
Videos

Documentation

Learn
Brand
PartnerNet
Merchandise
SUPPORT / SAMPLES & SAS NOTES
 

Support

Problem Note 55044: SAS® Web Infrastructure Platform applications (including SAS® Logon Manager) might be vulnerable to Cross-Site Request Forgery attacks

DetailsHotfixAboutRate It

SAS Web Infrastructure Platform applications, including SAS Logon Manager, might be vulnerable to Cross-Site Request Forgery (CSRF) attacks.

CVSS Score: 6.0

Click the Hot Fix tab in this note to access the hot fix for this issue.

Important Notes:

The application of this hot fix provides a filter for protection against CSRF in the SAS® installation. The filter is disabled by default to allow you the opportunity to configure it before it is enabled, which avoids potential user impact upon enablement.

With this protection enabled, requests that do not originate from sites that belong to a whitelist are rejected. By default, the implications of this change are that the SAS installation is secure against browser-based CSRF attacks and applications that are external to the SAS installation cannot link to SAS web applications. If you link to a SAS application from a company intranet or a portal page that is not hosted in the SAS installation, you encounter access denied messages when you click those links.

There are many legitimate cases where it is necessary to link to SAS web applications. For such cases, you can add a site that contains a link to a SAS web application to the SAS CSRF whitelist, as follows:

  1. Launch SAS® Management Console.
  2. Select Application Management ► Configuration Manager.
  3. Open the properties for SAS Application Infrastructure.
  4. On the Advanced tab, add a property named sas.web.csrf.referers.knownHosts and specify the value as a comma-delimited list of whitelisted sites. For example, to enable my-intranet.example.com and test.my-intranet.example.com to the whitelist, set the value to http://my-intranet.example.com/,http://test.my-intranet.example.com/.

Including a trailing slash at the end of each value is important because omitting the slash means that sites can use a prefix attack to bypass the protections. Be sure to include port numbers in the value if the whitelisted site uses ports other than the standard 80 or 443 for HTTP and HTTPS, respectively. You can also restrict a value to an application on the whitelisted site by including the application’s path in the value, for example, http://my-intranet.example.com/my-application-path/.

In addition to whitelisting sites, you can also whitelist certain HTTP methods. For example, you can choose to allow GET requests from any site. However, the implication of this ability is that SAS applications that use GET requests to invoke certain behavior are now susceptible to CSRF attacks. If you choose to whitelist certain methods, then you can set the sas.web.csrf.referers.skipMethods property in the advanced properties for the SAS Application Infrastructure. This value should be a comma-delimited list of HTTP methods (for example, GET,OPTIONS,TRACE) that are to be skipped.

To enable CSRF checking and enforcement, set the sas.web.csrf.referers.performCheck property to true in the advanced properties for SAS Application Infrastructure.

After changing any of the properties that are discussed above, you must restart the SAS® Web Application Server in order for the changes to take effect.

As an option, you can choose to set CSRF properties on individual web applications in your SAS installation by using Configuration Manager. After you make any changes in Configuration Manager, you need to restart all of the web application servers in your SAS middle tier in order for the settings to take effect.

For more details about the CSRF software attack, see the Open Web Application Security Project's (OWASP) Cross-Site Request Forgery (CSRF) page.

Operating System and Release Information

Product FamilyProductSystemProduct ReleaseSAS Release
ReportedFixed*ReportedFixed*
SAS SystemSAS Web Infrastructure PlatformSolaris for x649.2_M19.4_M39.2 TS2M09.4 TS1M3
Linux for x649.2_M19.4_M39.2 TS2M09.4 TS1M3
HP-UX IPF9.2_M19.4_M39.2 TS2M09.4 TS1M3
64-bit Enabled Solaris9.2_M19.4_M39.2 TS2M09.4 TS1M3
64-bit Enabled HP-UX9.2_M19.4_M39.2 TS2M09.4 TS1M3
64-bit Enabled AIX9.2_M19.4_M39.2 TS2M09.4 TS1M3
Windows Vista for x649.2_M19.2 TS2M0
Windows Vista9.2_M19.2 TS2M0
Microsoft Windows XP Professional9.2_M19.2 TS2M0
Microsoft Windows Server 2008 for x649.2_M19.4_M39.2 TS2M09.4 TS1M3
Microsoft Windows Server 2008 R29.2_M19.4_M39.2 TS2M09.4 TS1M3
Microsoft Windows Server 2003 for x649.2_M19.2 TS2M0
Microsoft Windows Server 2003 Standard Edition9.2_M19.2 TS2M0
Microsoft Windows Server 2003 Enterprise Edition9.2_M19.2 TS2M0
Microsoft Windows Server 2003 Datacenter Edition9.2_M19.2 TS2M0
* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.