Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
MICHAIL MOUDATSOS
Accessibility Security Issues
January 13, 2012 6:02 AM
Answer

MICHAIL MOUDATSOS

Rank: Regular Member

Posts: 110

Join Date: October 4, 2011

Recent Posts

Hello all,

I've been trying for some time now to disable many of the possibilities that Liferay offers, trying to leave a minimum set of functionality, in order to form a web application product with high security demands. I've run through the portal.properties several times in order to find out which settings could provide an easy way to disable many Liferay capabilities that I do not need.

I ve stumbled upon openid and forgot password. In portal-ext.properties file I have set the following parameters:
 1##
 2## OpenID
 3##
 4
 5    #
 6    # Set this to true to enable OpenId authentication. If set to true, then the
 7    # property "auto.login.hooks" must contain a reference to the class
 8    # com.liferay.portal.security.auth.OpenIdAutoLogin.
 9    #
10    open.id.auth.enabled=false
11
12#...
13
14##
15## Company
16##
17
18#...
19
20    #
21    # Set this to true to allow users to ask the portal to send them their
22    # password.
23    #
24    company.security.send.password=false
25
26    #
27    # Set this to true to allow users to ask the portal to send them a password
28    # reset link.
29    #
30    company.security.send.password.reset.link=false


However when trying with the following links

openId:
http://localhost:8080/web/guest/home?p_p_id=58&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_pos=2&p_p_col_count=3&_58_struts_action=%2Flogin%2Fopen_id

forgot password:
http://localhost:8080/web/guest/home?p_p_id=58&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_pos=2&p_p_col_count=3&_58_struts_action=%2Flogin%2Fforgot_password

The corresponding UI appears on screen!

What is the point of setting the properties then? If they serve as hide rather than disable properties, they have no important use. Besides one could hide them using a hook of Login portlet's jsp

The following issue holds for Liferay 6.0.6, as well as 6.1!!!
MICHAIL MOUDATSOS
RE: Accessibility Security Issues
January 14, 2012 2:26 AM
Answer

MICHAIL MOUDATSOS

Rank: Regular Member

Posts: 110

Join Date: October 4, 2011

Recent Posts

Well, I issued a bug and it's being processed at the moment. Since the fix is probably gonna be applied to next release, here is a quick n' dirty solution using a hook:

In liferay-hook.xml you must at least have (in the sense that you might override more than that):
1<hook>
2    <portal-properties>portal.properties</portal-properties>
3
4</hook>


In portal.properties located under src folder you must add the following entry (put a class name of your choice):
1servlet.service.events.pre=gr.com.outsourcing.signature.liferay.LoginAccessPreAction


and finally the class implementation:

 1public class LoginAccessPreAction extends Action
 2{
 3    @Override
 4    public void run(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ActionException
 5    {
 6        try
 7        {
 8            String [] values = httpServletRequest.getParameterValues("_58_struts_action");
 9
10            if(values != null && values.length > 0)
11            {
12                for(int vi = 0; vi < values.length; vi += 1)
13                {
14                    if(values[vi].contains("open_id") || values[vi].contains("captcha") || values[vi].contains("forgot_password"))
15                    {
16                        throw new PrincipalException();
17                        //System.out.println(values[vi] + " value of _58_struts_action parameter detected");
18                    }
19                }
20            }
21
22            values = httpServletRequest.getParameterValues("currentURL");
23
24            if(values != null && values.length > 0)
25            {
26                URI currURI = new URI(values[0]);
27
28                System.out.println("\nquery of currentURL:\n"+currURI.getQuery());
29
30                String queryString = currURI.getQuery();
31
32                String [] param = queryString.split("[=]");
33
34                for(int pi = 0; pi < param.length; pi += 1)
35                {
36                    String [] pair = param[pi].split("[&]");
37
38                    if(pair[0].contains("struts_action"))
39                    {
40                        if(pair[1].contains("open_id") || pair[1].contains("captcha") || pair[1].contains("forgot_password"))
41                        {
42                            throw new PrincipalException();
43                        }
44                    }
45                }
46            }
47        }
48        catch(Exception e)
49        {
50            throw new ActionException(e);
51        }
52    }
53}


Note that I'm not an http expert nor am I sure If I have taken into account all possible urls through which openid and remember me can be requested. If someone knows any other combinations, please list them here

PS. Yes, it IS Saturday here as well emoticon
MICHAIL MOUDATSOS
RE: Accessibility Security Issues
January 26, 2012 5:23 AM
Answer

MICHAIL MOUDATSOS

Rank: Regular Member

Posts: 110

Join Date: October 4, 2011

Recent Posts

There are URLs that can be accessed by a Guest user! Such as:

http://localhost:8080/html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html
http://localhost:8080/html/js/aui/uploader/assets/uploader.swf
http://localhost:8080/html/js/aui/aui-video/assets/player.swf
http://localhost:8080/html/portlet/xsl_content/example.xml

The above concern 6.0.6

Is there a resource to all Liiferay vulnerabilities and security holes? Is it after all, feasible to make a security-critical application to run on Liferay?
MICHAIL MOUDATSOS
RE: Accessibility Security Issues
January 27, 2012 12:43 AM
Answer
bergkamp sliew
RE: Accessibility Security Issues
February 16, 2012 3:30 AM
Answer

bergkamp sliew

Rank: New Member

Posts: 18

Join Date: November 8, 2009

Recent Posts

Same goes with the following URLs :

http://localhost:8080/html/js/editor/fckeditor/editor/filemanager/connectors/test.html
http://localhost:8080/en/WEB-INF/web.xml

Any quick fix for this issue?