Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-62533

Portal framework creates too many individual permissions which leads to DoS vulnerability

    Details

      Description

      Note on implementation details

      Before this ticket we created ResourcePermission records for every portlet placed on a page. The records were identified by plid_LAYOUT_ppid primary key, however, in most cases they only duplicated default permissions defined in resource-actions.xml for the respective portlet-resource.

      The implementation changes the behaviour and don't create plid_LAYOUT_ppid records on the fly.

      When portlet is added to a page, we use default ResourcePermission records that are created during portlet deployment.

      The default portlet resources / records are created on SCOPE_INDIVIDUAL level with name == primKey == rootPortletId (i.e. portletName_WAR_plugincontext).

      When a portal administrator assign new permissions on SCOPE_COMPANY level, these are applied, as well as SCOPE_GROUP and SCOPE_GROUP_TEMPLATE resource permissions.

      When the portal administrator defines permissions for the portlet on the page = changes the default portlet resources, we create a new plid_LAYOUT_ppid records with those manual changes, that applies only to the {portlet, page} permissions.

      Low-level implementation note: The default portlet resource permission recods are created for OWNER, GUEST and SITE_MEMBER roles. During permission checking these records are picked up when user belongs to that roles.


      Steps to reproduce:
      1, Go to http://localhost:8080/
      2, Get number of permission records in database using SELECT count(*) FROM ResourcePermission
      3, Go to http://localhost:8080/?p_p_state=maximized&p_p_id=90_INSTANCE_a
      4, Get number of permission records in database using SELECT count(*) FROM ResourcePermission
      5, Go to http://localhost:8080/?p_p_state=maximized&p_p_id=90_INSTANCE_b
      6, Get number of permission records in database using SELECT count(*) FROM ResourcePermission
      7, etc.

      Expected result: number of permission records doesn't grow
      Actual result: number of records grow with every new p_p_id requested


      CVSS Base Score: 7.8
      CVSS Temporal Score: 7.8
      CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:ND/RL:ND/RC:ND)
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  3 years, 23 weeks, 3 days ago

                  Packages

                  Version Package
                  7.0.0 Beta 6