-
Type:
Bug
-
Status: Closed
-
Resolution: Won't Fix
-
Affects Version/s: 6.0.5 GA
-
Fix Version/s: --Sprint 12/11, 6.1.0 CE RC1
-
Component/s: Accessibility, Security Vulnerability
-
Labels:None
Problem
=======
If you configure RequestHeaderAutoLogin in portal-ext.properties like this :
auto.login.hooks=com.liferay.portal.security.auth.RequestHeaderAutoLogin
It open's up your system to attackers
RequestHeaderAutoLogin checks if the LIFERAY_SCREEN_NAME header is set on the request. When it sets, it finds the user that corresponds to the specified screen name and logs you in as that user. No questions asked. It does not check any credentials
Because headers can be set on the client side, this is a huge security risk.
Steps to reproduce
===============
- Configure the RequestHeaderAutoLogin in portlet-ext.properties
- Download the poster plugin for firefox and craft a request that points to http://localhost:8080/web/guest and has the liferay_screen_name header set to test@liferay.com
You will be logged in as the admin user
Possible solution
==============
This hook should be changed to include a white list of ip's / hosts for which it allows access in this way
- relates
-
LPS-15591 Add additional security checks to RequestHeaderAutoLogin when used in combination with WSRP
- Closed