WebServerServlet offers all accessible documents

Details

Type: Sub-task
Status: Closed
Priority: Minor
Resolution: Duplicate
Affects Version/s: 6.1.0 CE RC1
Fix Version/s: --Sprint 12/11, 6.1.0 CE RC1
Component/s: DM > Document Library Display
Labels:
- bugsquad
Environment:
Tomcat 7.0.21 + MYSQL5.0. 6.1.x Revision 89665.

Similar Issues:

Show 5 results

Description

Maybe it's not important issue, but can be dangerous when used inappropriately.

WebServerServlet displays all files, including those who aren't linked from the web. If user doesn't have document library portlet on the pages and doesn't directly refer the documents, he might get wrong feeling of safety (for example documents from public folder which is not accessible through any link), in other words: security by obscurity.

I'm not sure if all files should be accessible from http://www.liferay.com/documents/guest/, for example http://www.liferay.com/documents/guest/Training%20Documents/Course%20Guides/ ?

User should be aware of this functionality or it should be disabled by default.

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Amos Fong added a comment - 25/Sep/11 11:03 PM

Tomas,

Thanks for the heads up. In terms of Liferay.com, we are aware of the servlet and only public files are accessible. The file you mentioned is the course descriptions which are publicly linked (http://www.liferay.com/services/training/topics/developer-training).

In terms of the Liferay portal side evaluation, I'll leave it to someone else more qualified.

Show

Amos Fong added a comment - 25/Sep/11 11:03 PM Tomas, Thanks for the heads up. In terms of Liferay.com, we are aware of the servlet and only public files are accessible. The file you mentioned is the course descriptions which are publicly linked ( http://www.liferay.com/services/training/topics/developer-training ). In terms of the Liferay portal side evaluation, I'll leave it to someone else more qualified.

Hide

Permalink

Tammy Fong added a comment - 26/Sep/11 1:25 AM

Hi Tomas,
Thank you for your report. I was able to reproduce the situation. Guests are able to view public files and folders (those with guest view permission) by navigating to those type of links. Uploaded files and added folders by default can be viewed by guests. It may be a security issue if users are not aware of this function; i.e. guests can see every public file/folder in the documents and media portlet regardless it existing on pages or not. I will update this ticket to let developers review this. These were my steps:

1. Navigate to Control Panel> Documents and Media portlet
2. At Documents Home,
a. add folder with guest view
b. add folder without guest view
c. add file with guest view
d. add file without guest view
3. As guest, navigate to /documents/guest/

Guests are able to see folders and files with view permission.

Show

Tammy Fong added a comment - 26/Sep/11 1:25 AM Hi Tomas, Thank you for your report. I was able to reproduce the situation. Guests are able to view public files and folders (those with guest view permission) by navigating to those type of links. Uploaded files and added folders by default can be viewed by guests. It may be a security issue if users are not aware of this function; i.e. guests can see every public file/folder in the documents and media portlet regardless it existing on pages or not. I will update this ticket to let developers review this. These were my steps: 1. Navigate to Control Panel> Documents and Media portlet 2. At Documents Home, a. add folder with guest view b. add folder without guest view c. add file with guest view d. add file without guest view 3. As guest, navigate to /documents/guest/ Guests are able to see folders and files with view permission.

Hide

Permalink

Samuel Kong added a comment - 28/Sep/11 10:13 PM

Removing security component because there's no security issue here.
Also, removing ticket from the current sprint.

Show

Samuel Kong added a comment - 28/Sep/11 10:13 PM Removing security component because there's no security issue here. Also, removing ticket from the current sprint.

Hide

Permalink

Mika Koivisto added a comment - 11/Nov/11 8:21 PM

This is a security issue just like Tomas reported. It's fixed by ~~LPS-22600~~ by making indexing configurable and it's by default turned off.

Show

Mika Koivisto added a comment - 11/Nov/11 8:21 PM This is a security issue just like Tomas reported. It's fixed by LPS-22600 by making indexing configurable and it's by default turned off.

Hide

Permalink

Tomáš Polešovský added a comment - 12/Nov/11 2:00 PM

Thank you Mika.

Show

Tomáš Polešovský added a comment - 12/Nov/11 2:00 PM Thank you Mika.

People

Assignee:

SE Support

Reporter:

Tomáš Polešovský

Participants of an Issue:

Amos Fong, Mika Koivisto, Samuel Kong, SE Support, Tammy Fong, Tomáš Polešovský

Vote (0)

Watch (4)

Dates

Created:

23/Sep/11 2:10 PM

Updated:

16/Nov/11 3:40 PM

Resolved:

11/Nov/11 8:21 PM

Days since last comment:

1 year, 27 weeks, 5 days ago

Agile

View on Board

~~LPS-22578~~	WebServerServlet serves broken documents due to wrong determined content size
~~LPS-32063~~	WebServerServlet doesn't allow to view documents directly
~~LPS-25338~~	WebServerServlet does not always support range HTTP header
~~LPS-26596~~	Potential memory leak and security vulnerability through CacheFilter and WebServerServlet
~~LPS-6876~~	Authentication Not Working for Direct Access to Documents & Articles