Liferay 6.1 can be compromised without having an account on the portal

2012-06-03T00:00:00
ID SECURITYVULNS:DOC:28122
Type securityvulns
Reporter Securityvulns
Modified 2012-06-03T00:00:00

Description

Liferay 6.1 can be compromised without having an account on the portal

Description:

Liferay Portal is an enterprise portal written in Java

Liferay in it's default configuration exposes a number of remotely accessible webservices. Access to these services is restricted by an ip block.

It is possible to circumvent this ip block in the following way :

http://vulnerablehost/?p_p_id=58&p_p_lifecycle=2&p_p_resource_id=/path/to/remote/endpoint

By invoking such an url you trigger a call to requestDispatcher.forward() Because the ip filter was not configured to filter forward targets This allows you to call servlets that would otherwise be inaccessible.

One type of remote service that is exposed is the tunnel service. This service does not validate user passwords. Therefore by presenting the userid of an admin user to this service it is possible to completely compromise the server.

An account on the portal is not required in order to exploit this vulnerability.

Proof of concept:

Code demonstrating the vulnerability can be found at

https://github.com/jelmerk/liferay-tunnel-exploit

Systems affected:

Liferay 6.1 ce Liferay 6.1 ee liferay 6.0.x suffers from the same weakness but because in this version the remote webservices are invoked from their own servlet context the attack vector used in the example code does not work

Vendor status :

Liferay was notified april 29 2012 by filing a bug in their public bugtracker under issue number LPS-27046. The issue has since been flagged as private and has been resolved.