lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFJgS8Vh8qASeEmSKEZ9DoqYVCHn4Spg4H3Y3P03O3SDtONCCw@mail.gmail.com>
Date: Sun, 13 May 2012 11:29:36 +0200
From: Jelmer Kuperus <jelmer.advisories@...il.com>
To: BUGTRAQ@...urityfocus.com
Subject: Liferay 6.1 can be compromised without having an account on the portal

Liferay 6.1 can be compromised without having an account on the portal

Description:

Liferay Portal is an enterprise portal written in Java

Liferay in it's default configuration exposes a number of remotely
accessible webservices.
Access to these services is restricted by an ip block.

It is possible to circumvent this ip block in the following way :

http://vulnerablehost/?p_p_id=58&p_p_lifecycle=2&p_p_resource_id=/path/to/remote/endpoint

By invoking such an url you trigger a call to
requestDispatcher.forward() Because the ip filter was
not configured to filter forward targets This allows you to call
servlets that would otherwise be
inaccessible.

One type of remote service that is exposed is the tunnel service. This
service does not validate
user passwords. Therefore by presenting the userid of an admin user to
this service it is possible
to completely compromise the server.

An account on the portal is not required in order to exploit this
vulnerability.

Proof of concept:

Code demonstrating the vulnerability can be found at

https://github.com/jelmerk/liferay-tunnel-exploit

Systems affected:

Liferay 6.1 ce
Liferay 6.1 ee
liferay 6.0.x suffers from the same weakness but because in this
version the remote webservices are
              invoked from their own servlet context the attack vector
used in the example code
              does not work

Vendor status :

Liferay  was notified april 29 2012 by filing a bug in their public
bugtracker under issue number
LPS-27046. The issue has since been flagged as private and has been resolved.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ