Affects Version/s: 4.3.6
Similar Issues:Show 5 results
LEP-2992 Password policy is not taken into account with "forgot password" LEP-7557 LDAP - when a user gets a new password via "forgot password", LDAP is not updated with the new password LEP-5553 Forgot password fails with LDAP export LEP-1432 "Forgot Password" allows to change another user's password LEP-5901 Close XSS vulnerabilities found by LEP-5801
Liferay doesn't properly sanitize name of user agent while creating "Forget Password" emails sent from the portal.
User-Agent HTTP header is wrapped by default to the forget password HTML based message (so also CSRF is possible, but it is likely that CSRF attempt will be blocked by Mail Agent).
This can lead to extreamly dangerous phishing attacks (email which contains malicious content originates from the targeted portal !!!).
Attacker using credibility given by origin of email can easily embed instructions for the victim (f.e. forwarding email to some address - email contains new password for victims account !!!).
From privileges escalation to sending abusive content from the targeted portal to it's users (loosing of credibility by institution running portal).
Sign In -> Forgot Password feature turned on, having at least one email of portal user (since Liferay suffers email guessing flow, it is not hard to get one).
NOTE: Attack must set to User-Agent HTTP header before session is
created (so User-Agent must present itself with attack from the
beginning of User-Agent <-> Server interaction) !!!
EXAMPLE EXPLOIT AND VERIFICATION:
Please use software proxy that allows to modify HTTP traffic or write
simple user-agent in f.e. Perl.
Set value of HTTP User-Agent to f.e (Internet Explorer + an attack).
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727). If you haven't requested Password Reminder feature please forward immediately this email to firstname.lastname@example.org.