[LPS-15517] Configuring RequestHeaderAutoLogin opens your system up to attackers - Liferay Issues

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Won't Fix
Affects Version/s: 6.0.5 GA
Fix Version/s: --Sprint 12/11, 6.1.0 CE RC1
Component/s: Accessibility, Security Vulnerability
Labels:
None

Description

Problem
=======

If you configure RequestHeaderAutoLogin in portal-ext.properties like this :

auto.login.hooks=com.liferay.portal.security.auth.RequestHeaderAutoLogin

It open's up your system to attackers

RequestHeaderAutoLogin checks if the LIFERAY_SCREEN_NAME header is set on the request. When it sets, it finds the user that corresponds to the specified screen name and logs you in as that user. No questions asked. It does not check any credentials

Because headers can be set on the client side, this is a huge security risk.

Steps to reproduce
===============

Configure the RequestHeaderAutoLogin in portlet-ext.properties
Download the poster plugin for firefox and craft a request that points to http://localhost:8080/web/guest and has the liferay_screen_name header set to test@liferay.com

You will be logged in as the admin user

Possible solution
==============

This hook should be changed to include a white list of ip's / hosts for which it allows access in this way

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

Screenshot.png
534 kB
27/Feb/11 8:31 AM

Issue Links

relates

LPS-15591 Add additional security checks to RequestHeaderAutoLogin when used in combination with WSRP

Closed

Activity

People

Assignee:

SE Support

Reporter:

Jelmer Kuperus (Inactive)

Participants of an Issue:

Jelmer Kuperus, Mika Koivisto, SE Support, Sophia Zhang

Recent user:

Esther Sanz

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

25/Feb/11 5:09 AM

Updated:

01/Dec/15 5:33 AM

Resolved:

01/Mar/11 5:59 PM

Days since last comment:

6 years, 25 weeks, 1 day ago