Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-55567 Extract AuthVerifier implementations into OSGi module together with core AutoLogin modules
  3. LPS-56013

Authentication vulnerability - OSGi based AutoLogins are enabled by default

    XMLWordPrintable

    Details

    • Type: Technical Task
    • Status: Closed
    • Resolution: Completed
    • Affects Version/s: None
    • Fix Version/s: 7.0.0 M6
    • Component/s: Security Vulnerability
    • Labels:
      None

      Description

      AutoLogin implementations don't have any configuration that would disable them.

      For example RequestHeaderAutoLogin doesn't check any password and authenticate anybody based on LIFERAY_SCREEN_NAME HTTP request header.

      Options to fix:
      1, @Component(enabled=false) << cannot be used because we have one class implementing both AutoLogin and AuthVerifier
      2, @Component(configurationPolicy = ConfigurationPolicy.REQUIRE) ... requires creating @Meta class for each autologin to enabled it
      3, introduce "isEnabled()" function that would work similary to #2

        Attachments

          Activity

            People

            Assignee:
            brian.chan Brian Chan
            Reporter:
            tomas.polesovsky Tomáš Polešovský
            Recent user:
            Esther Sanz
            Participants of an Issue:
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              7 years, 1 day ago

                Packages

                Version Package
                7.0.0 M6