Details

    • Type: Feature Request
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security Vulnerability
    • Labels:
      None

      Description

      Issue description: By replacing the sessionId of a logged-in user, we are able to replicate the user's session from another browser.

      Steps to reproduce:

      • Create 2 users like u1, u2
      • Assign the role for the u1 as "Power user", u2 as "Portal Content Reviewer"
      • Create 2 pages like Page1, Page2
      • Click on the permission of the Page1 and enable the view option for the Power user role and disable the view permission of the guest user role
      • Click on the permission of the Page2 and enable the view option for the Portal Content Reviewer role and disable the view permission of the guest user role
        • Observed behavior: U1 user can view the home page and Page1. U2 user can view the home page and Page2.
      • Using the burp suite tool, intercepting the request as below
        • In Chrome browser:
          • Logged in as u1 user.
          • Switch on the Intercept in the burp suite and refresh the Chrome browser. SessionId of the u1 will be captured in this tool.
        • In another browser like IE or Firefox browser:
          • Switch on the intercept, hit the URL without sign in like "https://IP:8443/"
          • Replace the copied session id of the u1 in the request and click on forward.
      • Observed behavior: It's logged in using the u1 login details. The Page1 is visible now. 

      Tested using http and https:

      DXP 7.2 + FP5

      Let me explain the reason behind it why there is no security constraint here:
      In the described case, we set up an environment which is basically suitable for debugging https requests. As a result, we see the requests unencrypted and access everything in it, including the JSESSIONID cookie. Without importing BurpSuite's own certificate into the browser and setting it as trusted to identify websites, interception of the https communication is not possible. 

      The feature request is to have a secondary check besides the session id. 

      Thanks

        Attachments

          Activity

            People

            Assignee:
            support-lep@liferay.com SE Support
            Reporter:
            thanga.meena Thanga Meena
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Packages

                Version Package