-
Type:
Bug
-
Status: Closed
-
Resolution: Won't Fix
-
Affects Version/s: 6.1.30 EE GA3, 6.1.X EE, 7.0.0 M3
-
Fix Version/s: 6.1.30 EE GA3, 6.1.X EE, 7.0.0 M3
-
Component/s: Application Security, Security Vulnerability
-
Labels:
-
Environment:LIFERAY VERSION: 7.0 (master)
OPERATING SYSTEM: Windows7
APPLICATION SERVER: Tomcat 7.0.x
JAVA VIRTUAL MACHINE: Java 6
DATABASE: MYSQL 5.1
-
Fix Priority:4
Reproduction steps:
1. Set company.security.strangers=false in portal-ext.properties file
2. Start portal and try to log in with your personal Google (or any other OpenID) account
3. Click OpenID in the login portlet
4. Use your Google OpenID:
https://www.google.com/accounts/o8/id
or
https://www.google.com/accounts/o8/id?id=IBzuawnYZb7QLYfcjiN7xGch73l5tzPduntjTRw
or
https://profiles.google.com/423673095305781683875
The first one will be the proper if you don't know your personal exact ID.
5. You are redirected to Google login page, log in here
6. You are asked by Google if you trust localhost:8080 (the portal) to give out account details, click yes
7. You are redirected back to Liferay (there is an issue where you have to log in again, if you hit this, just use the OpenID login again)
8. You are then prompted to change the Liferay password of the new user
9. Check the database: a new user has been created