Liferay 6.1 json webservices are subject to cross-site request forgery attacks

2012-06-03T00:00:00
ID SECURITYVULNS:DOC:28123
Type securityvulns
Reporter Securityvulns
Modified 2012-06-03T00:00:00

Description

Liferay 6.1 json webservices are subject to cross-site request forgery attacks

Description:

Liferay Portal is an enterprise portal written in Java

If a user is currently logged in to the portal (or has ticked the remember me box) then with a little help of social engineering (like sending a link via email/chat), an attacker can read most data the logged in user is priviliged to see. The reason for this is that the new json webservices let you pass along the name of a javascript function that should be called with the result of the invocation (jsonp). Because the HTML <script> tag does not respect the same origin policy in web browser implementations, a malicious page can request and obtain JSON data belonging to the portal by using the techniques described in this article

http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html

Code demonstrating the vulnerability can be found at

http://issues.liferay.com/secure/attachment/46878/fun.html

Systems affected

Liferay 6.1 ce Liferay 6.1 ee

Vendor status :

Liferay was notified may 7 2012 by filing a bug in their public bugtracker under issue number LPS-27174 The issue has not yet been resolved