Details

      Description

      In some cases the liferay json services can presents important security holes :

      1 - the less important : In some cases, we can access to some database informations (for exemple, knowing if an userId exists un Liferay database).
      2 - the most important : In some cases, we can use json services to fill in liferay databases without any permissions needed !!!

      1 - Access to DB informations

      For exemple, if you load the url :

      http://www.liferay.com/c/portal/json_service?serviceClassName=com.liferay.portal.service.UserServiceUtil&serviceMethodName=getUserById&serviceParameters=[%22userId%22]&userId=1234

      The answer will be :

      {"exception":"com.liferay.portal.NoSuchUserException: No User exists with the primary key 1234"}

      So, you know there is no user for this ID. In think it's not good to give this type of information to anyone.

      2 - Fill the Liferay DB without permissions needed :

      Some ServiceUtil are not well protected. For exemple, if you load the url :

      http://www.liferay.com/c/portal/json_service?serviceClassName=com.liferay.mail.service.CyrusServiceUtil&serviceMethodName=addUser&serviceParameters=[%22userId%22,%22emailAddress%22,%22password%22]&userId=12345&emailAddress=%22aa@aa.com%22&password=test

      You will add an user in the CyrusUser table (there is not protections on this service).

      I've created this ticket in private because I think this is a very important an easy to user security hole !

      It's sure, we can use the "json.service.invalid.class.names" to remove some classes. But, I think it would be better if we can use an include list instead of an exclude list (there is so many services).

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  6 years, 33 weeks ago

                  Packages

                  Version Package
                  6.0.X EE
                  6.1.20 EE GA2
                  --Sprint 11/12
                  6.2.0 CE M2