Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Liferay JSON Server API Authentication

🗓️ 03 Aug 2012 00:00:00Reported by Danilo MassaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 21 Views

Liferay JSON API authentication vulnerability allows unauthorized access and potential admin takeove

Code
`=============================================  
  
- Release date: August 3rd, 2012  
  
- Discovered by: Danilo Massa & Enrico Cinquini  
  
- Severity: High  
  
=============================================  
  
I. VULNERABILITY  
  
-------------------------  
  
Liferay JSON service API authentication vulnerability  
  
  
  
II. BACKGROUND  
  
-------------------------  
  
JSON service API are provided by all Liferay services that allows invoking  
its methods directly through HTTP using JSON as a data serialization  
mechanisms.  
  
This API is automatically generated by Service Builder, which means that  
you can also provide it for your custom services developed in the extension  
environment with no extra effort.  
  
  
  
III. INTRODUCTION  
  
-------------------------  
  
The Liferay JSON implementation do not check if a user that call a method  
on a serviceClass is disabled. Usually the default administrator user,  
[email protected], is used to create a new administrator and disabled  
without to change the default password, so it is possible to use it to  
execute JSON API calls.  
  
  
  
IV. DESCRIPTION  
  
-------------------------  
  
In order to get control of a Liferay portal is necessary to:  
  
  
- create a fake openID user on a free provider (like myopenid.com)  
  
- enumerate users calling the method getUserById of UserServiceUtil  
service class (the parameter of this call is a number so it is virtually  
possible to enumerate all users)  
  
- find a user with administrative role calling the method getUserRole of  
RoleServiceUtil service class using the valid userIds harvested in the  
previous step  
  
- set the previously created fake openId URL for the discovered  
administrator user using a call to updateOpenId method of the  
UserServiceUtil service class  
  
  
  
At this point is possible to login to Liferay as the discovered  
administrator selecting the OpenId authentication method to the portal.  
  
  
  
V. PROOF OF CONCEPT  
  
-------------------------  
  
Below is a harmless test that can be executed to check if a Liferay  
installation is vulnerable.  
  
  
  
Using a browser go to the following URL:  
  
http://<liferay_url>/tunnel-web/secure/json  
  
and use the standard [email protected] user and password when the web site  
require a basic authentication in order to check if they are still valid.  
  
  
  
A vulnerable Liferay installation will show a blank web page, a secured  
installation will ask the authentication credentials three times before to  
show an error page.  
  
  
  
VI. BUSINESS IMPACT  
  
-------------------------  
  
An attacker could exploit the vulnerability to become administrator and  
retrive or publish any kind of data on Liferay.  
  
It is also possible to inject a web comand shell on the Liferay machine.  
  
  
  
VII. SYSTEMS AFFECTED  
  
-------------------------  
  
Versions 6.0.5 and 6.0.6 are vulnerable.  
  
Versions 6.1 is vulnerable but the password for the standard administrator  
user is not hardcoded in the installation but asked at installation time  
(so can be different from the standard one)  
  
  
  
VIII. SOLUTION  
  
-------------------------  
  
Upgrade to a patched release (when availble) or as quick workaround change  
the default password for user [email protected].  
  
  
  
IX. REFERENCES  
  
-------------------------  
  
Liferay's JSON API usage examples:  
  
http://www.liferay.com/web/james.falkner/blog/-/blogs/yet-another-liferay-json-service-example  
  
http://www.liferay.com/es/web/raymond.auge/blog/-/blogs/476431  
  
  
  
Liferay's service classes documentation:  
  
http://docs.liferay.com/portal/6.0/javadocs/com/liferay/portal/service/package-tree.html  
  
  
  
X. CREDITS  
  
-------------------------  
  
The vulnerability has been discovered by:  
  
Danilo Massa massa(under_score)danilo(at)gmail(dot)com  
  
Enrico Cinquini enrico(dot)cinquini(at)gmail(dot)com  
  
  
  
XI. VULNERABILITY HISTORY  
  
-------------------------  
  
June 11th, 2012: Vulnerability identification  
  
June 12th, 2012: Vendor notification  
  
August 3rd, 2012: Vulnerability disclosure  
  
  
  
XII. LEGAL NOTICES  
  
-------------------------  
  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise. We accept no  
responsibility for any damage caused by the use or misuse of this  
information.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Aug 2012 00:00Current
0.2Low risk
Vulners AI Score0.2
liferay portaljson apiauthenticationvulnerabilityadministratorexploitsecuritypatchuser enumerationopenidservice buildercommand shell
21