SUPPORT / SAMPLES & SAS NOTES
Problem Note 66864: SAS® Information Delivery Portal might allow unauthorized access to the file system
 |  |  |  |  |
Severity: High
Description: SAS Information Delivery Portal might allow unauthorized access to the server file system via the URL display portlet.
Potential Impact: A user can gain unauthorized access to the server file system.
Solution: After you apply the hot fix, take the following steps:
- Create a new property, URLDisplayPortlet.UrlRestrictions, under the Advanced application properties for "SAS Information Delivery Portal 4.4," available through the Configuration Manager plug-in in SAS® Management Console.
- You can populate the Property Value field with a comma-delimited list of protocols and URL prefixes that are allowed to be displayed within the URL display portlet. Here are some examples of values:
Description Property Value field Allow only https and http traffic http,https Disallow file:// protocol !file Allow only URLs with a certain prefix https://mysite.com/
- Restart the web application server instance SASServer1_1 in order for these changes to take effect.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Information Delivery Portal | Microsoft® Windows® for x64 | 4.4_M6 | 9.4 TS1M6 | ||
| 64-bit Enabled AIX | 4.4_M6 | 9.4 TS1M6 | ||||
| 64-bit Enabled Solaris | 4.4_M6 | 9.4 TS1M6 | ||||
| HP-UX IPF | 4.4_M6 | 9.4 TS1M6 | ||||
| Linux for x64 | 4.4_M6 | 9.4 TS1M6 | ||||
| Solaris for x64 | 4.4_M6 | 9.4 TS1M6 | ||||