-
Type:
Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: 6.1.10 EE GA1, 6.2.0 CE M2
-
Fix Version/s: 6.0.X EE, 6.1.20 EE GA2, --Sprint 11/12, 6.2.0 CE M2
-
Component/s: Accessibility, Security Vulnerability
-
Branch Version/s:6.1.x, 6.0.x
-
Backported to Branch:Committed
-
Story Points:2
-
Git Pull Request:
In some cases the liferay json services can presents important security holes :
1 - the less important : In some cases, we can access to some database informations (for exemple, knowing if an userId exists un Liferay database).
2 - the most important : In some cases, we can use json services to fill in liferay databases without any permissions needed !!!
1 - Access to DB informations
For exemple, if you load the url :
The answer will be :
{"exception":"com.liferay.portal.NoSuchUserException: No User exists with the primary key 1234"}So, you know there is no user for this ID. In think it's not good to give this type of information to anyone.
2 - Fill the Liferay DB without permissions needed :
Some ServiceUtil are not well protected. For exemple, if you load the url :
You will add an user in the CyrusUser table (there is not protections on this service).
I've created this ticket in private because I think this is a very important an easy to user security hole !
It's sure, we can use the "json.service.invalid.class.names" to remove some classes. But, I think it would be better if we can use an include list instead of an exclude list (there is so many services).
- relates
-
LPS-25688 Add optional user authentication for old and new JSON api
-
- Closed
-