Security Bulletin - Geocortex Viewer for HTML5 - 9/30/2015

We have recently identified a security issue where Geocortex Essentials REST tokens may be leaked when:

• Using the HTML5 Viewer to access external GeoRSS feeds belonging to a secured site
• Custom code calls certain Geocortex Essentials API utilities to issue requests to non-Essentials endpoints
• Accessing secured ArcGIS Online content through the HTML5 viewer in Essentials 3.15 to 4.1.5 

 

Applications that may be affected include:

• Geocortex Viewer for HTML5 2.0+, belonging to secured sites that contain GeoRSS feeds external to the organization.
• Developers initializing objects from non-Essentials endpoints via geocortex.request, RestHelperHTTPService, or AsyncInitializable.
• Customers using Geocortex Essentials versions 3.15 to 4.1.5 (inclusive) to access secured content from ArcGIS Online. 

Users with secured sites containing external/untrusted GeoRSS services are urged to disable these GeoRSS services until the issue is resolved. A fix for this issue will be included in the upcoming 2.5.1 maintenance release of Geocortex Viewer for HTML5.

 

 

 

This issue stems from using the RestHelperHTTPService, geocortex.request, and AsyncInitializable utilities/classes in the Geocortex Essentials API for JavaScript to load HTTP resources hosted outside of secured instances of Geocortex Essentials REST. For example, using geocortex.request to request an untrusted HTTP (or HTTPS) resource existing outside of the organization, or by extending AsyncInitializable in order to instantiate a custom object from an untrusted endpoint. In these cases the REST token will be appended to the outgoing HTTP (or HTTPS) requests, and this is done under the assumption that the resources are Essentials REST resources. While these utilities are intended for use against trusted endpoints within the umbrella of Geocortex Essentials site security, this is not made explicitly clear in the documentation for these utilities.

 

 

 

Implementers are suggested to review custom code that happens to directly use any of these three facilities in order to ensure that they are being used only against trusted endpoints within the organization.

 

 

 

If you are using Geocortex Essentials versions 3.15 to 4.1.5 to access secured content from ArcGIS Online content from within the HTML5 viewer, consider upgrading to the latest version (4.4).

 

 

 

In version 2.5.1 of Geocortex Viewer for HTML5, we will begin enforcing token scope rules to ensure that tokens are not attached to requests for non-Essentials endpoints. We'll also provide a way for developers to add scope rules in order to allow specific use cases where passing the REST token is explicitly intended.

 

 

 

We always take potential security concerns extremely seriously and apologize for any inconvenience. If you have any questions or concerns, please do not hesitate to contact us.