Foros de discusión
BUG/Leak?: User without any right can see all users from site
Michel van Beek, modificado hace 7 años.
BUG/Leak?: User without any right can see all users from site
New Member Mensajes: 3 Fecha de incorporación: 6/10/09 Mensajes recientes
Kind Sir/Madam,
We have a huge issue with a security leak inside our Liferay 6.2 GA6 CE build. We have build several new portlets upon that to achieve the perfect environment for our clients needs and their wishes. We have multiple environments running this instance around the globe.
Let me explain the following:
|-- Intro:
One of our client, which is with almost 100.000 users and in this particular environment/site we developed to give their guests (with reservations) and owners (with individual houses) the oppertunity to see their booked reservations and manage their payments and for the owners to see their revenu and information about their houses.
|-- Issue:
One of their (users) owners was able to see a security leak inside the environment while he was clicking a simple broken url link from the environment and which should have redirected him to the native and default 404 page of Liferay (with a simple “not found”, url which they visit and the link to go back 1 step in history), but he claimed that he was directly redirected to the control panel which we could see in his screenshots. In this way he could manage to see ALL of the users with their respective names and emailaddresses. In all of our test cases we could not reproduce this at all even when giving more (with steps) rights!
|-- Role and site info:
Regarding this owner user, the roles which were assigned don’t have any rights to view the control panel, the users and or anything else., just only visit the respective site with view on the pages. Also the User and Power User roles are disabled. We also don’t use User Groups or Organization Sites.
|-- What next:
This is a huge issue regarding the security of our environment including the privacy (with all inflicted law aspects) for the client of us.
Do you have encountered anything like this? Or do you know how we can test these cases with hidden/leak links or redirections tot he control panel.
I hope and also expect some good and confirmed reactions from Liferay side to help us in this matter which we don’t want to be escalated out into the world. For both of our sakes.
Thank you very much
We have a huge issue with a security leak inside our Liferay 6.2 GA6 CE build. We have build several new portlets upon that to achieve the perfect environment for our clients needs and their wishes. We have multiple environments running this instance around the globe.
Let me explain the following:
|-- Intro:
One of our client, which is with almost 100.000 users and in this particular environment/site we developed to give their guests (with reservations) and owners (with individual houses) the oppertunity to see their booked reservations and manage their payments and for the owners to see their revenu and information about their houses.
|-- Issue:
One of their (users) owners was able to see a security leak inside the environment while he was clicking a simple broken url link from the environment and which should have redirected him to the native and default 404 page of Liferay (with a simple “not found”, url which they visit and the link to go back 1 step in history), but he claimed that he was directly redirected to the control panel which we could see in his screenshots. In this way he could manage to see ALL of the users with their respective names and emailaddresses. In all of our test cases we could not reproduce this at all even when giving more (with steps) rights!
|-- Role and site info:
Regarding this owner user, the roles which were assigned don’t have any rights to view the control panel, the users and or anything else., just only visit the respective site with view on the pages. Also the User and Power User roles are disabled. We also don’t use User Groups or Organization Sites.
|-- What next:
This is a huge issue regarding the security of our environment including the privacy (with all inflicted law aspects) for the client of us.
Do you have encountered anything like this? Or do you know how we can test these cases with hidden/leak links or redirections tot he control panel.
I hope and also expect some good and confirmed reactions from Liferay side to help us in this matter which we don’t want to be escalated out into the world. For both of our sakes.
Thank you very much
Samuel Kong, modificado hace 7 años.
RE: BUG/Leak?: User without any right can see all users from site
Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
Hi Michael,
If there's an issue here, we'll definitely want to address this. However, we'll need a lot more information to determine what is the issue.
Firstly, you'll need to reproduce the issue so that we can have clear steps for reproducing this issue. It will be very difficult for us to verify this issue if you can't confirm the issue.
Are you referring to the "Owner" role in Liferay? If you are, what type of owner is this user (e.g. Organization Owner, Site Owner, etc)?
What is this URL?
What's the URL he was redirected to?
This doesn't make sense. You can't disable the User role. If you made some modification to remove the User role from the user, this might be the source for your problems.
If there's an issue here, we'll definitely want to address this. However, we'll need a lot more information to determine what is the issue.
In all of our test cases we could not reproduce this at all
Firstly, you'll need to reproduce the issue so that we can have clear steps for reproducing this issue. It will be very difficult for us to verify this issue if you can't confirm the issue.
One of their (users) owners
Are you referring to the "Owner" role in Liferay? If you are, what type of owner is this user (e.g. Organization Owner, Site Owner, etc)?
He was clicking a simple broken url link
What is this URL?
but he claimed that he was directly redirected to the control panel
What's the URL he was redirected to?
Also the User and Power User roles are disabled.
This doesn't make sense. You can't disable the User role. If you made some modification to remove the User role from the user, this might be the source for your problems.
Michel van Beek, modificado hace 7 años.
RE: BUG/Leak?: User without any right can see all users from site
New Member Mensajes: 3 Fecha de incorporación: 6/10/09 Mensajes recientes
Hi Samuel,
Thank you for your quick response!
In all of our test cases we could not reproduce this at all
This is the main issue as well, we cannot reproduce this error in any way. The page he got to see is the page when an administrator is going to inside the dockbar to the "Admin -> Users" of a site. Like described below he just clicked a link (just a simple page link) and should have gone to the 404 page, but got to that "Users" page. (once i have spoken with him on the phone this was the simplest action to take) but not reproducible at our side at all.
Also: Even with a new testcase and several links the user himself could not reproduce it again.
One of their (users) owners
No, with owners i meant "owner of an accommodation on a resort". The role "Owner" of Liferay is not related to our users and they don't have this role.
He was clicking a simple broken url link
This was a link towards an old (non functional) asset publisher page link to show some webcontents like: like /-/tags/news. But this was showing the 404 page, like it should, because the page did not exist. Except for this person it got him to the users summary page and could see all the users.
but he claimed that he was directly redirected to the control panel
As far as i could see and asked he was redirected to the page where all the users are within the site/community (dockbar -> admin -> users), like i described in my first post. probably: /group/control_panel?refererPlid=10767&doAsGroupId=14&controlPanelCategory=current_site.users&p_p_id=174 where ofcourse the ID's are reflecting the environment. Even with imitating and logging in as that user, the page says "no rights to view this portlet"
Also the User and Power User roles are disabled.
What i mean with this, is that we don't assign any other roles by default (we deleted the default User and Power user from that list in "Portal settings" -> "default user associations". No code changes regarding users/roles/permissions.
I am still thinking on how this is possible, a normal "guest" without any roles like Admin or Owner can have such "power" to view related and sensitive information. It does not ring a bell to achieve the same by giving some URL's to check? like group/control_panel/manage? - users or site_users?
Thanks so much again for a respsonse and feedback.
Thank you for your quick response!
In all of our test cases we could not reproduce this at all
Firstly, you'll need to reproduce the issue so that we can have clear steps for reproducing this issue. It will be very difficult for us to verify this issue if you can't confirm the issue.
This is the main issue as well, we cannot reproduce this error in any way. The page he got to see is the page when an administrator is going to inside the dockbar to the "Admin -> Users" of a site. Like described below he just clicked a link (just a simple page link) and should have gone to the 404 page, but got to that "Users" page. (once i have spoken with him on the phone this was the simplest action to take) but not reproducible at our side at all.
Also: Even with a new testcase and several links the user himself could not reproduce it again.
One of their (users) owners
Are you referring to the "Owner" role in Liferay? If you are, what type of owner is this user (e.g. Organization Owner, Site Owner, etc)?
No, with owners i meant "owner of an accommodation on a resort". The role "Owner" of Liferay is not related to our users and they don't have this role.
He was clicking a simple broken url link
What is this URL?
This was a link towards an old (non functional) asset publisher page link to show some webcontents like: like /-/tags/news. But this was showing the 404 page, like it should, because the page did not exist. Except for this person it got him to the users summary page and could see all the users.
but he claimed that he was directly redirected to the control panel
What's the URL he was redirected to?
As far as i could see and asked he was redirected to the page where all the users are within the site/community (dockbar -> admin -> users), like i described in my first post. probably: /group/control_panel?refererPlid=10767&doAsGroupId=14&controlPanelCategory=current_site.users&p_p_id=174 where ofcourse the ID's are reflecting the environment. Even with imitating and logging in as that user, the page says "no rights to view this portlet"
Also the User and Power User roles are disabled.
This doesn't make sense. You can't disable the User role. If you made some modification to remove the User role from the user, this might be the source for your problems.
What i mean with this, is that we don't assign any other roles by default (we deleted the default User and Power user from that list in "Portal settings" -> "default user associations". No code changes regarding users/roles/permissions.
I am still thinking on how this is possible, a normal "guest" without any roles like Admin or Owner can have such "power" to view related and sensitive information. It does not ring a bell to achieve the same by giving some URL's to check? like group/control_panel/manage? - users or site_users?
Thanks so much again for a respsonse and feedback.
Samuel Kong, modificado hace 7 años.
RE: BUG/Leak?: User without any right can see all users from site
Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
Unfortunately, I'm unable to reproduce based on the info provided and I haven't come across the problem before. In order to investigate further, I'm going to need more details. If you're able to reproduce, can you send the steps for reproducing to security@liferay.com. Alternatively, create a ticket at issues.liferay.com and mark the ticket as "Secure". Thanks.
Michel van Beek, modificado hace 7 años.
RE: BUG/Leak?: User without any right can see all users from site
New Member Mensajes: 3 Fecha de incorporación: 6/10/09 Mensajes recientes
Hello Samuel,
We are in the same situation, because we also need to first reproduce it ourselves.
I want to thank you for the time and efforts. If there is a time we can reproduce this in any way, i will let it know via security@liferay.com.
Also, whenever you bump into this issue somewhere/somehow, feel free (and please do) to contact me.
Thanks
We are in the same situation, because we also need to first reproduce it ourselves.
I want to thank you for the time and efforts. If there is a time we can reproduce this in any way, i will let it know via security@liferay.com.
Also, whenever you bump into this issue somewhere/somehow, feel free (and please do) to contact me.
Thanks