CERT issued a security bulletin (http://www.kb.cert.org/vuls/id/339345) for Proficy Portal.  The purpose of this knowledgebase article is to provide customers with information on how to mitigate this issue.

The bulletin describes a weakness in the system which allows an authorized Proficy Portal user to upload an arbitrary file (including asp) to the web server’s main virtual directory where it can be launched by requesting it from a web browser.  This issue is classified as Remote Code Execution.

Working in conjunction with CERT, GE Fanuc Intelligent Platforms published a Software Improvement Module (SIM) on January 31, 2008 to address this issue.

SIM’s are always cumulative back to the previous product release or Service Pack. As a result, if you have any SIM installed on or after January 31, 2008 you will have the update for this issue. The latest Proficy Portal SIM can be obtained from the Downloads section of the GE Fanuc support site (http://support.gefanuc.com).

To further verify your installation contains this update, you can check the date of several key files on the Proficy Portal server. The date and time on the files should match those below OR be more recent. These files will reside in the virtual directory you specified when the product was installed. By default, this would be:

C:\Program Files\GE Fanuc\Proficy Portal\webapps\infoagentsrv

The key files are:

01/28/08  10:25 AM    ClientDataAccess.jar
01/28/08  10:26 AM    DataAccess.jar
01/31/08  08:56 AM    System.jar
01/31/08  08:56 AM    SystemApp.jar

To further increase the security of your installation, you may configure the Proficy Portal Server to use SSL (Secure Sockets Layer). This is particularly useful if you have not chosen to use Windows Authentication in your IIS web server. For more information on SSL, please see the KB article entitled “Portal Security” and the topic SSL in the Proficy Portal user’s manual.