Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-26596

Potential memory leak and security vulnerability through CacheFilter and WebServerServlet


    • Branch Version/s:
    • Backported to Branch:


      Currently for search engine optimization (and possibly to be immune to those values changing), when there are four parts to the path in WebServerServlet the middle two sections are ignored and only the groupId and the uuid_ are used to return the image.

      While this is not problematic in of itself, if a user uploads any file to the Documents and Media portlet and crafts 10,000 versions of the /image/groupId/gibberish/gibberish/uuid URL with different values of gibberish each time, they can fill up the CacheUtil cache (by default 10,000 elements) with items up to cache.content.threshold.size (default 512,000 bytes).

      With default configuration settings for cache and max image size, a malicious user can fill up 5 GB of heap by requesting a 512,000 byte image 10,000 times with different values for the middle two components of the path each time. For most Liferay installations, this is sufficient to crash the server with an OutOfMemoryException for thirty minutes (the time it takes for the cache entries to expire).




            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created:
                Days since last comment:
                6 years, 2 weeks, 1 day ago