66864 - SAS® Information Delivery Portal might allow unauthorized access to the file system

Problem Note 66864: SAS® Information Delivery Portal might allow unauthorized access to the file system

Severity: High

Description: SAS Information Delivery Portal might allow unauthorized access to the server file system via the URL display portlet.

Potential Impact: A user can gain unauthorized access to the server file system.

Solution: After you apply the hot fix, take the following steps:

Create a new property, URLDisplayPortlet.UrlRestrictions, under the Advanced application properties for "SAS Information Delivery Portal 4.4," available through the Configuration Manager plug-in in SAS^® Management Console.
You can populate the Property Value field with a comma-delimited list of protocols and URL prefixes that are allowed to be displayed within the URL display portlet.

Examples of values:
Allow only https and http traffic: http,https
Disallow file:// protocol: !file
Allow only URLs with a certain prefix: https://mysite.com/
Restart the web application server instance SASServer1_1 in order for these changes to take effect.

Click the Hot Fix tab in this note to access the hot fix for this issue.

Product Family	Product	System	Product Release		SAS Release
Product Family	Product	System	Reported	Fixed*	Reported	Fixed*
SAS System	SAS Information Delivery Portal	Microsoft® Windows® for x64	4.4_M6		9.4 TS1M6
		64-bit Enabled AIX	4.4_M6		9.4 TS1M6
		64-bit Enabled Solaris	4.4_M6		9.4 TS1M6
		HP-UX IPF	4.4_M6		9.4 TS1M6
		Linux for x64	4.4_M6		9.4 TS1M6
		Solaris for x64	4.4_M6		9.4 TS1M6

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

A fix for this issue for SAS Portal and Portlets 4.4_M7 is available at:

Type:	Problem Note
Priority:	high

Date Modified:	2020-11-19 10:04:34
Date Created:	2020-10-28 13:29:18