Critical Liferay Security Issue: User is logged in as another user

Today my customer came to me with a critical issue: more than one user are logged in as another user after login. This issue belongs to at least Liferay 6 SP 1 . Ive tested it with LDAP and NTLM but it could not work for basic-auth as well.

For instance: if you have users with username lwescmo and lwesco1 you expect such a result.

To reproduce it, you have at first to process a login with the first user named lwescmo. After that, process a logout and try to login with the second one named lwesco1.

As you can see, the user is in the scope of lwescmo and NOT lwesco1.

Reason: If a user is logged in, the complete userobject will be cached (in the Finder-Cache). Therefore the FinderCacheImpl is creating a hashkey for each finder-entry using finderPath.encodeCacheKey(args). Through this, for both user the same key will be created (for me: 29e1914a).

Both users targeting one cache-entry!

TEMPORARY-SOLUTION:  set value.object.finder.cache.enabled to false in your portal-ext.properties and restart your server

January 13, 2012 | Filed Under Critical, Security, Liferay

 

Comments

One Response to “Critical Liferay Security Issue: User is logged in as another user”

  1. Michael Han on January 13th, 2012 7:29 pm

    Actually, the proper fix would be to use a different hash key generator in the util-spring.xml:

    So add a ext-spring with the following entries:

Leave a Reply




Security Code: