Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Sandeep Nair
Security Flaw - Possibility to intercept request
March 17, 2009 4:32 AM
Answer

Sandeep Nair

Rank: Liferay Legend

Posts: 1692

Join Date: November 5, 2008

Recent Posts

Hi,

We are using Webscarab for penetration testing. And it is found that we can change parameters by intercepting the request using Webscarab

Is there a way by which i can make sure the request even if intercepted cannot be manipulated by anyone?

Regards,
Sandeep
Maulin Rathod
RE: Security Flaw - Possibility to intercept request
March 17, 2009 6:27 AM
Answer

Maulin Rathod

Rank: Junior Member

Posts: 61

Join Date: November 6, 2008

Recent Posts

This is serious issue. User can modify request parameters using tools like firebug. By manipulating parameters user can perform actions for which user has not previlage.

How we can handle it? Any help on this will be greatly appreciated.
Samuel Kong
RE: Security Flaw - Possibility to intercept request
March 17, 2009 11:59 AM
Answer

Samuel Kong

LIFERAY STAFF

Rank: Liferay Master

Posts: 959

Join Date: March 10, 2008

Recent Posts

Sandeep, can you provide additional details such as what parameters, and which portlet this issue affects so that Liferay can be patched if needed.
Maulin Rathod
RE: Security Flaw - Possibility to intercept request
March 17, 2009 7:03 PM
Answer

Maulin Rathod

Rank: Junior Member

Posts: 61

Join Date: November 6, 2008

Recent Posts

My Account Portlet has following hidden parameters which can be manipulated by user.

parameter name= _2_organizationIds - - User can change its organisation.

parameter name= _2_cmd -- user can update parameter value from update to add(so it will create new user).

parameter name= _2_emailAddress -- user can update email address
Sandeep Nair
RE: Security Flaw - Possibility to intercept request
March 18, 2009 4:06 AM
Answer

Sandeep Nair

Rank: Liferay Legend

Posts: 1692

Join Date: November 5, 2008

Recent Posts

Yeap those are the parameters.
Bruno Farache
RE: Security Flaw - Possibility to intercept request
March 18, 2009 8:40 AM
Answer

Bruno Farache

LIFERAY STAFF

Rank: Liferay Master

Posts: 502

Join Date: May 14, 2007

Recent Posts

Are you logged in with an user that has permissions to make these changes?

If you are logged in as admin, then yes, you have permissions to make these changes.
Samuel Kong
RE: Security Flaw - Possibility to intercept request
March 18, 2009 11:34 AM
Answer

Samuel Kong

LIFERAY STAFF

Rank: Liferay Master

Posts: 959

Join Date: March 10, 2008

Recent Posts

There is no security issue related with those parameters.

_2_cmd -- Checked on line 173 and 571in UserServiceImpl

_2_organizationIds -- Check on line 598 in UserServiceIMpl

_2_emailAddress -- users should be able to update their email address.


* Line numbers based on revision 27984
Sandeep Nair
RE: Security Flaw - Possibility to intercept request
March 18, 2009 10:22 PM
Answer

Sandeep Nair

Rank: Liferay Legend

Posts: 1692

Join Date: November 5, 2008

Recent Posts

Hi Bruno,

Actually we are using Webscarab to intercept the requests , then modify the parameters and send it again.

Regards,
Sandeep
Sandeep Nair
RE: Security Flaw - Possibility to intercept request
March 18, 2009 11:29 PM
Answer

Sandeep Nair

Rank: Liferay Legend

Posts: 1692

Join Date: November 5, 2008

Recent Posts

Heres how we can edit organization using firebug.

Login as a normal user who is not admin.

Go to My Accounts. Right now the organization is Maulin Org as shown below




Next using firebug edit organizationid as shown below. I have changed organizationid to 12401. Click on save button




The organization is updated to Sandy's Organization as show below.



Regards,
Sandeep