LPS-66683 All users are site administrators by default

Description

By default, Liferay Portal gives every registered user the Power User role. When a signed in user has the Power User role, the user will have their own site and permissions to manage the site public and private pages, content and the site configuration.

Environments affected

All conditions must be met:

  • Portal deployments where regular users are allowed to sign in and/or create new accounts. Regular users are users that do not have trust to manage a part of the portal.
  • Portal configuration has Power User inside admin.default.role.names portal property, which is default configuration.

Security risks

  • Portal users can create public portal pages and files that can be harmful, offensive or obscene. Such content can be understood as trusted and valid because it is hosted on the portal domain.
  • When portal doesn't have all security patches applied, users can obtain administrative access by using one of known fixed vulnerabilities
  • When portal deployment allows open registration of users, potentially any user can perform the actions.

Impact

Portal deployment with all security patches applied and default configuration:

  • Confidentiality impact: Partial. Power User role is used only for personal sites, which are empty by default. However they can extract existing information using data structures provided to WCM templates.
  • Integrity impact: Partial. Users can create own content. They are not allowed to modify existing content of other sites.
  • Availability impact: Complete. Users can create WCM templates with time-consuming loops that consumes all CPU cycles when rendered. Users can create unlimited number of resources in DB which can slow down database operations. Users can create unlimited numbers of files on disk which can fill up disk space.

Portal deployments without latest security patches or running insecure configuration can be fully compromised.

Recommendation

​​​​​Liferay recommends clients review their Liferay Portal deployment to check if users need their own site. If users need their own site, please review the permission given the users to ensure that users only have the permissions needed.
 
When regular users do not need Power User role:

  1. Remove existing users from Power User role
  2. Remove Power User from admin.default.role.names property to prevent new users to inherit the role, example configuration: admin.default.role.names=User
  3. Remove or review existing sites and content created by those users, if possible.

When regular users need Power User role:

  1. Review Power User role permissions and grant only the least required privileges
  2. Review portlets configuration and disable or limit unwanted features

Severity

Severity 1

Fixed Version(s)

Publication date: Thu, 16 Jun 2016 10:04:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.