Hi,
I played today with the plugin, it's looking very good! During playing I found some issues:
(1)
It's possible to bypass the LatchFilter using an URL that will be ignored by your regular expressions, like http://localhost:8080////////web/guest or http://localhost:8080/web;pathParam=value/guest
It's also possible to bypass the LatchFilter using /c/ URI. For example - get plid of /web/guest/home page (e.g. 10643), then go to http://localhost:8080/c/portal/layout?p_l_id=10643 and the page will render with all portlets.
(2)
Another thing is that there is no additional protection to un-pair the device. With any such issue like the ones above I can call the portlet doUnPair action method and remove the protection at all. All I need is to know on which page the portlet is deployed (which is easy if the attacker is also a member of the portal). If I don't know the page id (p_l_id) I can also iterate over all values.
An example with my p_l_id and p_auth parameters:
http://localhost:8080/c/portal/layout?p_l_id=10643&p_auth=BEFIFlMt&p_p_id=latchpairing_WAR_latchportlet&p_p_lifecycle=1&p_p_state=normal&_latchpairing_WAR_latchportlet_javax.portlet.action=doUnPair
I think it would help to add a token verification here as well.
(3)
The permissions of the portlet allows any Power User to add the portlet to the user account private pages.
There is only one instance of LatchConfig => any Power User can change configuration of the plugin through portlet configuration. It would be better to create 2 portlets or allow only portal administrator to see and update the configuration.
(4)
The portlet configuration shows "application secret", in plain-text. This is something that should never leave server side.
(5)
Fail-safe concept ... In PostAuthenticationAction you allow access when Exception happens. This means that when there is a DB/session clustering issue, the plugin will allow anybody to log in. (https://github.com/jpenren/latch-plugin-liferay/blob/7618323cfab0f04da49d0cfaf849ac9ff7510ac2/latch-portlet/src/main/java/com/elevenpaths/latch/hook/PostAuthenticationAction.java#L58-60)
Thanks
Hi,
I played today with the plugin, it's looking very good! During playing I found some issues:
(1)
It's possible to bypass the LatchFilter using an URL that will be ignored by your regular expressions, like
http://localhost:8080////////web/guestorhttp://localhost:8080/web;pathParam=value/guestIt's also possible to bypass the LatchFilter using
/c/URI. For example - get plid of /web/guest/home page (e.g. 10643), then go tohttp://localhost:8080/c/portal/layout?p_l_id=10643and the page will render with all portlets.(2)
Another thing is that there is no additional protection to un-pair the device. With any such issue like the ones above I can call the portlet doUnPair action method and remove the protection at all. All I need is to know on which page the portlet is deployed (which is easy if the attacker is also a member of the portal). If I don't know the page id (p_l_id) I can also iterate over all values.
An example with my p_l_id and p_auth parameters:
http://localhost:8080/c/portal/layout?p_l_id=10643&p_auth=BEFIFlMt&p_p_id=latchpairing_WAR_latchportlet&p_p_lifecycle=1&p_p_state=normal&_latchpairing_WAR_latchportlet_javax.portlet.action=doUnPairI think it would help to add a token verification here as well.
(3)
The permissions of the portlet allows any Power User to add the portlet to the user account private pages.
There is only one instance of LatchConfig => any Power User can change configuration of the plugin through portlet configuration. It would be better to create 2 portlets or allow only portal administrator to see and update the configuration.
(4)
The portlet configuration shows "application secret", in plain-text. This is something that should never leave server side.
(5)
Fail-safe concept ... In PostAuthenticationAction you allow access when Exception happens. This means that when there is a DB/session clustering issue, the plugin will allow anybody to log in. (https://github.com/jpenren/latch-plugin-liferay/blob/7618323cfab0f04da49d0cfaf849ac9ff7510ac2/latch-portlet/src/main/java/com/elevenpaths/latch/hook/PostAuthenticationAction.java#L58-60)
Thanks