Problem Note 66864: SAS® Information Delivery Portal might allow unauthorized access to the file system
Severity: High
Description: SAS Information Delivery Portal might allow unauthorized access to the server file system via the URL display portlet.
Potential Impact: A user can gain unauthorized access to the server file system.
Solution: After you apply the hot fix, take the following steps:
- Create a new property, URLDisplayPortlet.UrlRestrictions, under the Advanced application properties for "SAS Information Delivery Portal 4.4," available through the Configuration Manager plug-in in SAS® Management Console.
- You can populate the Property Value field with a comma-delimited list of protocols and URL prefixes that are allowed to be displayed within the URL display portlet.
Examples of values:
Allow only https and http traffic: http,https
Disallow file:// protocol: !file
Allow only URLs with a certain prefix: https://mysite.com/
- Restart the web application server instance SASServer1_1 in order for these changes to take effect.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
SAS System | SAS Information Delivery Portal | Microsoft® Windows® for x64 | 4.4_M6 | | 9.4 TS1M6 | |
64-bit Enabled AIX | 4.4_M6 | | 9.4 TS1M6 | |
64-bit Enabled Solaris | 4.4_M6 | | 9.4 TS1M6 | |
HP-UX IPF | 4.4_M6 | | 9.4 TS1M6 | |
Linux for x64 | 4.4_M6 | | 9.4 TS1M6 | |
Solaris for x64 | 4.4_M6 | | 9.4 TS1M6 | |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
Type: | Problem Note |
Priority: | high |
Date Modified: | 2020-11-19 10:04:34 |
Date Created: | 2020-10-28 13:29:18 |