Liferay JSON Service Information Leakage

Type packetstorm
Reporter Stefano Di Paola
Modified 2010-08-13T00:00:00


                                            `Minded Security Labs: Advisory #MSA251009  
Liferay Json Service Multiple Information Leakage  
Tested Versions:   
Liferay Portal 4.x and 5.x  
Minded Security ReferenceID:  
Discovery by   
Stefano Di Paola of Minded Security   
stefano.dipaola [_at_]  
High: it is possible to access functionalities and   
sensitive users' information.  
Grant access only to standard web functionalities and prevent direct  
access to JSON service.  
It is possible to access several classes and static methods and obtain serveral  
sensitive information.  
It is possible to access several methods making a direct request to the following URL  
via POST with a payload like the following:  
An authenticated user can perform a request like the previous to obtain an answere  
from the server like the following:  
HTTP/1.1 200 OK FunctionNameJs({response JSON object});   
It was possible to analize the accessible methods and it was noted that several   
classes and static methods are accessible, but a lot of them perform access control.  
However, there are several methods that return information about users that do not   
perform administrative access control or that are allowed to logged users.   
This methods can be used to obtain sensitive information.  
For example, an attacker could use the method "getRoleUsers" in order to obtain   
internal Liferay passwords in SHA-1 format coded in Base64 making the following   
request (administrative role id is 10107).  
POST /c/portal/json_service HTTP/1.1 callback=ss&  
screenName=getRoleUsers&serviceParameters=roleId HTTP/1.1 200 OK ss([{"portraitId":0,"agreedToTermsOfUse":true,"passwordEncrypted":true,  
As it is possible to see, inside the server answere there is the object related to   
the admin user with his own password in SHA-1 format (without salt).  
Disclosure Timeline  
25/10/09 Issue found  
12/05/10 Reported to Vendor  
The information within this paper may change without notice. Use  
of this information constitutes acceptance for use in an AS IS  
condition. There are NO warranties with regard to this information.  
In no event shall the author be liable for any damages whatsoever   
arising out of or in connection with the use or spread of this   
Any use of this information is at the user's own risk.  
Permission is hereby granted for the redistribution of this Alert  
electronically. It is not to be edited in any way without express  
consent of Minded Security Research Lab. If you wish to reprint the  
whole or any part of this Alert in any other medium excluding  
electronic medium, please e-mail   
for permission.  
Copyright (c) 2010 Minded Security, S.r.l..  
All rights reserved worldwide.