| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFJgS8VoBCsrCsA4hcte8fCR59yZ1j1nrFip5TVs3Wc30mPq5g@mail.gmail.com> Date: Sun, 13 May 2012 12:29:55 +0200 From: Jelmer Kuperus <jelmer.advisories@...il.com> To: BUGTRAQ@...urityfocus.com Subject: Liferay 6.1 json webservices are subject to cross-site request forgery attacks Liferay 6.1 json webservices are subject to cross-site request forgery attacks Description: Liferay Portal is an enterprise portal written in Java If a user is currently logged in to the portal (or has ticked the remember me box) then with a little help of social engineering (like sending a link via email/chat), an attacker can read most data the logged in user is priviliged to see. The reason for this is that the new json webservices let you pass along the name of a javascript function that should be called with the result of the invocation (jsonp). Because the HTML <script> tag does not respect the same origin policy in web browser implementations, a malicious page can request and obtain JSON data belonging to the portal by using the techniques described in this article http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html Code demonstrating the vulnerability can be found at http://issues.liferay.com/secure/attachment/46878/fun.html Systems affected Liferay 6.1 ce Liferay 6.1 ee Vendor status : Liferay was notified may 7 2012 by filing a bug in their public bugtracker under issue number LPS-27174 The issue has not yet been resolved
Powered by blists - more mailing lists