Foren

  1. Startseite
  2. Development
  3. Accessibility Security Issues

Accessibility Security Issues

MICHAIL MOUDATSOS, geändert vor 12 Jahren.

Accessibility Security Issues

Regular Member Beiträge: 110 Beitrittsdatum: 04.10.11 Neueste Beiträge
Hello all,

I've been trying for some time now to disable many of the possibilities that Liferay offers, trying to leave a minimum set of functionality, in order to form a web application product with high security demands. I've run through the portal.properties several times in order to find out which settings could provide an easy way to disable many Liferay capabilities that I do not need.

I ve stumbled upon openid and forgot password. In portal-ext.properties file I have set the following parameters:
##
## OpenID
##

    #
    # Set this to true to enable OpenId authentication. If set to true, then the
    # property "auto.login.hooks" must contain a reference to the class
    # com.liferay.portal.security.auth.OpenIdAutoLogin.
    #
    open.id.auth.enabled=false

#...

##
## Company
##

#...

    #
    # Set this to true to allow users to ask the portal to send them their
    # password.
    #
    company.security.send.password=false

    #
    # Set this to true to allow users to ask the portal to send them a password
    # reset link.
    #
    company.security.send.password.reset.link=false


However when trying with the following links

openId:
http://localhost:8080/web/guest/home?p_p_id=58&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_pos=2&p_p_col_count=3&_58_struts_action=%2Flogin%2Fopen_id

forgot password:
http://localhost:8080/web/guest/home?p_p_id=58&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_pos=2&p_p_col_count=3&_58_struts_action=%2Flogin%2Fforgot_password

The corresponding UI appears on screen!

What is the point of setting the properties then? If they serve as hide rather than disable properties, they have no important use. Besides one could hide them using a hook of Login portlet's jsp

The following issue holds for Liferay 6.0.6, as well as 6.1!!!
MICHAIL MOUDATSOS, geändert vor 12 Jahren.

RE: Accessibility Security Issues

Regular Member Beiträge: 110 Beitrittsdatum: 04.10.11 Neueste Beiträge
Well, I issued a bug and it's being processed at the moment. Since the fix is probably gonna be applied to next release, here is a quick n' dirty solution using a hook:

In liferay-hook.xml you must at least have (in the sense that you might override more than that):
<hook>
	<portal-properties>portal.properties</portal-properties>

</hook>


In portal.properties located under src folder you must add the following entry (put a class name of your choice):
servlet.service.events.pre=gr.com.outsourcing.signature.liferay.LoginAccessPreAction


and finally the class implementation:

public class LoginAccessPreAction extends Action
{
	@Override
	public void run(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ActionException
	{
		try
		{
			String [] values = httpServletRequest.getParameterValues("_58_struts_action");

			if(values != null &amp;&amp; values.length &gt; 0)
			{
				for(int vi = 0; vi &lt; values.length; vi += 1)
				{
					if(values[vi].contains("open_id") || values[vi].contains("captcha") || values[vi].contains("forgot_password"))
					{
						throw new PrincipalException();
						//System.out.println(values[vi] + " value of _58_struts_action parameter detected");
					}
				}
			}

			values = httpServletRequest.getParameterValues("currentURL");

			if(values != null &amp;&amp; values.length &gt; 0)
			{
				URI currURI = new URI(values[0]);

				System.out.println("\nquery of currentURL:\n"+currURI.getQuery());

				String queryString = currURI.getQuery();

				String [] param = queryString.split("[=]");

				for(int pi = 0; pi &lt; param.length; pi += 1)
				{
					String [] pair = param[pi].split("[&amp;]");

					if(pair[0].contains("struts_action"))
					{
						if(pair[1].contains("open_id") || pair[1].contains("captcha") || pair[1].contains("forgot_password"))
						{
							throw new PrincipalException();
						}
					}
				}
			}
		}
		catch(Exception e)
		{
			throw new ActionException(e);
		}
	}
}


Note that I'm not an http expert nor am I sure If I have taken into account all possible urls through which openid and remember me can be requested. If someone knows any other combinations, please list them here

PS. Yes, it IS Saturday here as well emoticon
MICHAIL MOUDATSOS, geändert vor 12 Jahren.

RE: Accessibility Security Issues

Regular Member Beiträge: 110 Beitrittsdatum: 04.10.11 Neueste Beiträge
There are URLs that can be accessed by a Guest user! Such as:

http://localhost:8080/html/js/editor/fckeditor/editor/filemanager/browser/liferay/browser.html
http://localhost:8080/html/js/aui/uploader/assets/uploader.swf
http://localhost:8080/html/js/aui/aui-video/assets/player.swf
http://localhost:8080/html/portlet/xsl_content/example.xml

The above concern 6.0.6

Is there a resource to all Liiferay vulnerabilities and security holes? Is it after all, feasible to make a security-critical application to run on Liferay?
MICHAIL MOUDATSOS, geändert vor 12 Jahren.

RE: Accessibility Security Issues

Regular Member Beiträge: 110 Beitrittsdatum: 04.10.11 Neueste Beiträge
Also, check this out:
http://www.cvedetails.com/vulnerability-search.php?f=1&vendor=Liferay&product=&cveid=&cweid=&cvssscoremin=&cvssscoremax=&psy=&psm=&pey=&pem=&usy=&usm=&uey=&uem=
thumbnail
bergkamp sliew, geändert vor 12 Jahren.

RE: Accessibility Security Issues

New Member Beiträge: 18 Beitrittsdatum: 08.11.09 Neueste Beiträge
Same goes with the following URLs :

http://localhost:8080/html/js/editor/fckeditor/editor/filemanager/connectors/test.html
http://localhost:8080/en/WEB-INF/web.xml

Any quick fix for this issue?