[LPS-136288] Profile picture is missing server side validation on the size - Liferay Issues

XML

Word

Printable

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 7.1.X, 7.2.X, 7.3.X, Master
Fix Version/s: 7.1.10 DXP FP26, 7.1.10.7 SP7, 7.1.X, 7.2.10 DXP FP15, 7.2.X, 7.3.10.3 DXP SP3, 7.3.X, 7.4.13 DXP GA1, 7.4.3.4 CE GA4, Master
Component/s: Application Security, Documents & Media, User Management
Labels:

As a preparation, please have Burp Suite installed as it will be required to reproduce this issue.

The Community Edition is free and can be downloaded from here:
https://portswigger.net/burp/communitydownload

Steps to reproduce:

Start up Liferay
Open Burp Suite (Select Temporary project)
Click on Proxy from the top navbar
Click on Open Browser (And click on Intercept is On to turn it off)
Log in as the administrator
Go to Account settings
Upload the attached image (notice how the image is 390Kb and the max file size is 300Kb)
Go to Burp Suite and click on the Intercept is off button
Click on Save
Go back to Burp and find the following variable: _com_liferay_image_uploader_web_portlet_ImageUploaderPortlet_maxFileSize
Set the size of it to 100307200
Click on Forward in Burp
Turn interception off
Click save

Expected behavior : The image is not accepted and uploaded as it is over the size limit
Actual behavior : The image is uploaded and used