Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-15517

Configuring RequestHeaderAutoLogin opens your system up to attackers

    Details

      Description

      Problem
      =======

      If you configure RequestHeaderAutoLogin in portal-ext.properties like this :

      auto.login.hooks=com.liferay.portal.security.auth.RequestHeaderAutoLogin

      It open's up your system to attackers

      RequestHeaderAutoLogin checks if the LIFERAY_SCREEN_NAME header is set on the request. When it sets, it finds the user that corresponds to the specified screen name and logs you in as that user. No questions asked. It does not check any credentials

      Because headers can be set on the client side, this is a huge security risk.

      Steps to reproduce
      ===============

      • Configure the RequestHeaderAutoLogin in portlet-ext.properties
      • Download the poster plugin for firefox and craft a request that points to http://localhost:8080/web/guest and has the liferay_screen_name header set to test@liferay.com

      You will be logged in as the admin user

      Possible solution
      ==============

      This hook should be changed to include a white list of ip's / hosts for which it allows access in this way

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  6 years, 17 weeks, 6 days ago

                  Subcomponents