All JSON web services are accessible without authentication.
Activity
Show:
Samuel Kong April 25, 2012 at 12:30 AM
No the two issues are not the same.
Juan Gonzalez April 24, 2012 at 1:46 PM
Is this issue related to LPS-26930?
Juan Gonzalez April 24, 2012 at 1:45 PM
Samuel, please can you tell what features wouldn't work if json webservices are disabled?
Samuel Kong April 24, 2012 at 4:30 AM
The code for this ticket was committed under .
Fixed
Details
Assignee
Samuel KongSamuel Kong(Deactivated)Reporter
Samuel KongSamuel Kong(Deactivated)Components
Fix versions
Affects versions
Priority
Medium
Details
Details
Assignee
Samuel KongReporter
Samuel KongComponents
Fix versions
Affects versions
Priority
MediumZendesk Support
Linked Tickets
Zendesk Support
Linked Tickets
Zendesk Support
Linked Tickets
Created April 24, 2012 at 4:29 AM
Updated June 24, 2023 at 3:56 PM
Resolved April 25, 2012 at 12:30 AM
All JSON web services are, by default, accessible without authentication. Due to this vulnerability, anyone can create a new user with administrator rights.
Workarounds
Option 1: Turn off all JSON web services by adding the following to portal-ext.properties
json.web.service.enabled=false
Option 2: Disable anonymous access to JSON web services by adding the following to portal-ext.properties jsonws.web.service.public.methods=
json.service.public.methods=
Option 2 will help reduce the risk but will not completely eliminate the risk. Option 1 will eliminate the risk, but will also cause some portal functionality to no longer work.