Foren

  1. Startseite
  2. Portal
  3. Security Flaw - Possibility to intercept request

Security Flaw - Possibility to intercept request

thumbnail
Sandeep Nair, geändert vor 15 Jahren.

Security Flaw - Possibility to intercept request

Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
Hi,

We are using Webscarab for penetration testing. And it is found that we can change parameters by intercepting the request using Webscarab

Is there a way by which i can make sure the request even if intercepted cannot be manipulated by anyone?

Regards,
Sandeep
Maulin Rathod, geändert vor 15 Jahren.

RE: Security Flaw - Possibility to intercept request

Junior Member Beiträge: 61 Beitrittsdatum: 06.11.08 Neueste Beiträge
This is serious issue. User can modify request parameters using tools like firebug. By manipulating parameters user can perform actions for which user has not previlage.

How we can handle it? Any help on this will be greatly appreciated.
thumbnail
Samuel Kong, geändert vor 15 Jahren.

RE: Security Flaw - Possibility to intercept request

Liferay Legend Beiträge: 1902 Beitrittsdatum: 10.03.08 Neueste Beiträge
Sandeep, can you provide additional details such as what parameters, and which portlet this issue affects so that Liferay can be patched if needed.
Maulin Rathod, geändert vor 15 Jahren.

RE: Security Flaw - Possibility to intercept request

Junior Member Beiträge: 61 Beitrittsdatum: 06.11.08 Neueste Beiträge
My Account Portlet has following hidden parameters which can be manipulated by user.

parameter name= _2_organizationIds - - User can change its organisation.

parameter name= _2_cmd -- user can update parameter value from update to add(so it will create new user).

parameter name= _2_emailAddress -- user can update email address
thumbnail
Sandeep Nair, geändert vor 15 Jahren.

RE: Security Flaw - Possibility to intercept request

Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
Yeap those are the parameters.
thumbnail
Bruno Farache, geändert vor 15 Jahren.

RE: Security Flaw - Possibility to intercept request

Liferay Master Beiträge: 603 Beitrittsdatum: 14.05.07 Neueste Beiträge
Are you logged in with an user that has permissions to make these changes?

If you are logged in as admin, then yes, you have permissions to make these changes.
thumbnail
Sandeep Nair, geändert vor 15 Jahren.

RE: Security Flaw - Possibility to intercept request

Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
Hi Bruno,

Actually we are using Webscarab to intercept the requests , then modify the parameters and send it again.

Regards,
Sandeep
thumbnail
Samuel Kong, geändert vor 15 Jahren.

RE: Security Flaw - Possibility to intercept request

Liferay Legend Beiträge: 1902 Beitrittsdatum: 10.03.08 Neueste Beiträge
There is no security issue related with those parameters.

_2_cmd -- Checked on line 173 and 571in UserServiceImpl

_2_organizationIds -- Check on line 598 in UserServiceIMpl

_2_emailAddress -- users should be able to update their email address.


* Line numbers based on revision 27984
thumbnail
Sandeep Nair, geändert vor 15 Jahren.

RE: Security Flaw - Possibility to intercept request

Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
Heres how we can edit organization using firebug.

Login as a normal user who is not admin.

Go to My Accounts. Right now the organization is Maulin Org as shown below




Next using firebug edit organizationid as shown below. I have changed organizationid to 12401. Click on save button




The organization is updated to Sandy's Organization as show below.



Regards,
Sandeep