Tuesday, February 19, 2013

HTTP mod_proxy + Liferay @ same server = security problem

Liferay use remote IP check for Web Services authorization. This check can be bypassed with wrong environment configuration.

The wrong configuration:
1, the web server is on the same machine as the app server (has same localhost / server IP)
2, the web server use HTTP proxy

What happens - HTTP request goes to the web server, which proxies the request to Liferay. Now remote IP = IP of the web server = localhost.

Risk
* Anyone can access remote web services
* Anyone can execute public remote methods, other methods require authentication. (Note: Starting with Liferay 6.1.1 / 6.1.20 all methods require authentication.)
* Anyone can execute brute-force attack on users' portal credentials to break the authentication, SSO settings are bypassed

Quick workaround - change:
*.servlet.hosts.allowed=127.0.0.1,SERVER_IP
to
 *.servlet.hosts.allowed=255.255.255.255

There is one drawback - you can't access Liferay Web Services from anywhere :)

Solution - move the web server into another machine or use AJP:
* load mod_proxy_ajp
* rewrite configuration to use ajp and port 8009 everywhere (8009 is Tomcat default). Example:
ProxyPass / ajp://localhost:8009/

Applies to Apache HTTP Server, nginx and, in fact, to any HTTP proxy server in this configuration.