We have been kindly advised by YEHG on some potential vulnerabilities in ocPortal. As it turns out these issues only occur in poorly configured environments and would even then be tricky for a hacker to exploit. We therefore are updating our advice on how to best configure ocPortal so that it is clear why certain situations would lower security.
The following sections have been added to our security tutorial…
Protect your domain nameIt is important that you don't use a public domain name, or give people access to upload their own sites to your domain. If you do, basic web browser security walls will be broken down, and someone malicious could use techniques to extract your access from you. Giving other's access to subdomains is generally okay, so long as you are careful to configure your cookies so that only the main domain can read them.
Protect your session securityWe recommend the 'Enforce IP addresses for sessions' option is left enabled. If you are on some kind of network such as TOR where your IP address may randomly change, we advise to not use this when administering ocPortal – it will greatly reduce your security. If you have an ISP where your IP address changes very frequently, you may want to consider a more reliable ISP.
For a break-down of the risk of disabling this option, see this tracker discussion:
0000708: Increase complexity of session IDs - ocPortal feature tracker
ReferrersAll users with privileged access should have referrers enabled in their web browser. Without this, ocPortal can't prevent malicious requests being redirected through to your own website's forms from other (malicious) websites.
By default browsers do have referrers enabled, but some firewall products may disable them for very minor privacy reasons (to stop a website knowing what link you followed to get to it, which most people would agree is not really a privacy issue to them at all).
To check you have referrers enabled, go to OcCLE (Admin Zone > Tools > OcCLE) and type:
If you get a blank result, or something like 'unset' or 'hidden', you need to find out why referrers are disabled and re-enable them.
We may consider future changes to ocPortal that mitigate risks on these insecure scenarios, but there's really no good reason for them to occur and they are all intrinsically problematic regardless of ocPortal's behaviour – so the best course of action is just to make sure they don't apply to you.