Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-26596

Potential memory leak and security vulnerability through CacheFilter and WebServerServlet

    Details

      Description

      Currently for search engine optimization (and possibly to be immune to those values changing), when there are four parts to the path in WebServerServlet the middle two sections are ignored and only the groupId and the uuid_ are used to return the image.

      While this is not problematic in of itself, if a user uploads any file to the Documents and Media portlet and crafts 10,000 versions of the /image/groupId/gibberish/gibberish/uuid URL with different values of gibberish each time, they can fill up the CacheUtil cache (by default 10,000 elements) with items up to cache.content.threshold.size (default 512,000 bytes).

      With default configuration settings for cache and max image size, a malicious user can fill up 5 GB of heap by requesting a 512,000 byte image 10,000 times with different values for the middle two components of the path each time. For most Liferay installations, this is sufficient to crash the server with an OutOfMemoryException for thirty minutes (the time it takes for the cache entries to expire).

        Attachments

          Activity

            People

            Assignee:
            brian.chan Brian Chan
            Reporter:
            minhchau.dang Minhchau Dang
            Participants of an Issue:
            Recent user:
            Esther Sanz
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              9 years, 16 weeks, 5 days ago

                Packages

                Version Package
                6.1.1 CE GA2
                6.1.20 EE GA2
                --Sprint 11/12
                6.2.0 CE M2