In some cases the liferay json services can presents important security holes :

      1 - the less important : In some cases, we can access to some database informations (for exemple, knowing if an userId exists un Liferay database).
      2 - the most important : In some cases, we can use json services to fill in liferay databases without any permissions needed !!!

      1 - Access to DB informations

      For exemple, if you load the url :[%22userId%22]&userId=1234

      The answer will be :

      {"exception":"com.liferay.portal.NoSuchUserException: No User exists with the primary key 1234"}

      So, you know there is no user for this ID. In think it's not good to give this type of information to anyone.

      2 - Fill the Liferay DB without permissions needed :

      Some ServiceUtil are not well protected. For exemple, if you load the url :[%22userId%22,%22emailAddress%22,%22password%22]&userId=12345&

      You will add an user in the CyrusUser table (there is not protections on this service).

      I've created this ticket in private because I think this is a very important an easy to user security hole !

      It's sure, we can use the "json.service.invalid.class.names" to remove some classes. But, I think it would be better if we can use an include list instead of an exclude list (there is so many services).


          Issue Links



              • Votes:
                1 Vote for this issue
                4 Start watching this issue


                • Created:
                  Days since last comment:
                  7 years, 14 weeks, 2 days ago


                  Version Package
                  6.0.X EE
                  6.1.20 EE GA2
                  --Sprint 11/12
                  6.2.0 CE M2