Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Rating can be corrupted as score value is not validated

Description

Ratings score value is not checked, and any possibly values can be injected with a special URL :

http://localhost:8080/c/ratings/rate_entry?className=com.liferay.portlet.blogs.model.BlogsEntry&classPK=10714&p_l_id=10183&score=500000

It will be counted in the average so it is usable to radically modify rankings.

Activity

Show:

Pani Gui February 24, 2013 at 9:00 PM
Edited

PASSED Manual Testing using the following steps:

1. Add Blogs portlet to Welcome page.
2. Create a blog entry.
3. Open this URL http://localhost:8080/c/ratings/rate_entry?className=com.liferay.portlet.blogs.model.BlogsEntry&classPK=10714&p_l_id=10183&score=500000.

Fixed on:
Tomcat 6.0 + MySQL 5. Portal 6.0.x GIT ID: 6875ec4676b14b2749d05cc521cc591405d60ea1.

The URL is invalid.

Michael Saechang May 29, 2012 at 2:26 PM

Thank you Pani for testing. Closing as 'Fixed'.

Pani Gui May 24, 2012 at 9:52 PM

PASSED Manual Testing using the following steps:

1. Add Blogs portlet to Welcome page.
2. Create a blog entry.
3. Open this URL http://localhost:8080/c/ratings/rate_entry?className=com.liferay.portlet.blogs.model.BlogsEntry&classPK=10714&p_l_id=10183&score=500000.

Reproduced on:
Tomcat 7.0 + MySQL 5. 6.1.10 EE GA1.

Ratings score value can be modified via a special URL.

Fixed on:
Tomcat 7.0 + MySQL 5. Portal 6.1.x CE GIT ID: 974e58c9630c9471da61a56dc052083a17c05b72.
Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 297e3b476e139be65658e72bfed4d2a9ad4dc254.
Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: e5d79f8286afb81e210c2f40dcb87bf4102abdc9.

The URL is invalid.

Juan Fernández May 18, 2012 at 2:03 AM

Hi guys:
this validation is not enough. It can be bypassed using a hook, a plugin or a web service client that calls RatingsEntryServiceUtil directly. That is why we need to add validations to LocalServiceImpl files.
I'm reimplementing this and will send you a PR to review it.
Thanks
Juan

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Labels

Branch Version/s

6.1.x
6.0.x

Backported to Branch

Committed

Git Pull Request

Story Points

Components

Fix versions

Affects versions

Priority

Zendesk Support

Created May 15, 2012 at 5:50 AM
Updated June 24, 2023 at 4:01 PM
Resolved February 22, 2013 at 5:36 PM

Flag notifications