Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-66683

All users are site administrators by default

    Details

      Description

      By default, Liferay Portal gives every registered user the Power User role. When a signed in user has the Power User role, the user will have their own site and permissions to manage the site public and private pages, content and the site configuration.

      Environments affected

      All conditions must be met:

      • Portal deployments where regular users are allowed to sign in and/or create new accounts. Regular users are users that do not have trust to manage a part of the portal.
      • Portal configuration has Power User inside admin.default.role.names portal property, which is default configuration.

      Security risks

      • Portal users can create public portal pages and files that can be harmful, offensive or obscene. Such content can be understood as trusted and valid because it is hosted on the portal domain.
      • When portal doesn't have all security patches applied, users can obtain administrative access by using one of known fixed vulnerabilities
      • When portal deployment allows open registration of users, potentially any user can perform the actions.

      Impact
      Portal deployment with all security patches applied and default configuration:

      • Confidentiality impact: Partial. Power User role is used only for personal sites, which are empty by default. However they can extract existing information using data structures provided to WCM templates.
      • Integrity impact: Partial. Users can create own content. They are not allowed to modify existing content of other sites.
      • Availability impact: Complete. Users can create WCM templates with time-consuming loops that consumes all CPU cycles when rendered. Users can create unlimited number of resources in DB which can slow down database operations. Users can create unlimited numbers of files on disk which can fill up disk space.

      Portal deployments without latest security patches or running insecure configuration can be fully compromised.

      Mitigations

      Liferay recommends clients review their Liferay Portal deployment to check if users need their own site. If users need their own site, please review the permission given the users to ensure that users only have the permissions needed.

      When regular users do not need Power User role:

      1. Remove existing users from Power User role
      2. Remove Power User from admin.default.role.names property to prevent new users to inherit the role, example configuration: admin.default.role.names=User
      3. Remove or review existing sites and content created by those users, if possible.

      When regular users need Power User role:

      1. Review Power User role permissions and grant only the least required privileges
      2. Review portlets configuration and disable or limit unwanted features

        Attachments

          Activity

            People

            • Assignee:
              samuel.kong Samuel Kong
              Reporter:
              samuel.kong Samuel Kong
              Participants of an Issue:
              Recent user:
              Esther Sanz
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                3 years, 13 weeks, 5 days ago

                Packages

                Version Package
                7.0.1 CE GA2