Kombinierte Ansicht Flache Ansicht Baumansicht
Threads [ Zurück | Nächste ]
toggle
Sandeep Nair
Security Flaw - Possibility to intercept request
17. März 2009 04:32
Antwort

Sandeep Nair

Rang: Liferay Legend

Nachrichten: 1692

Eintrittsdatum: 5. November 2008

Neue Beiträge

Hi,

We are using Webscarab for penetration testing. And it is found that we can change parameters by intercepting the request using Webscarab

Is there a way by which i can make sure the request even if intercepted cannot be manipulated by anyone?

Regards,
Sandeep
Maulin Rathod
RE: Security Flaw - Possibility to intercept request
17. März 2009 06:27
Antwort

Maulin Rathod

Rang: Junior Member

Nachrichten: 61

Eintrittsdatum: 6. November 2008

Neue Beiträge

This is serious issue. User can modify request parameters using tools like firebug. By manipulating parameters user can perform actions for which user has not previlage.

How we can handle it? Any help on this will be greatly appreciated.
Samuel Kong
RE: Security Flaw - Possibility to intercept request
17. März 2009 11:59
Antwort

Samuel Kong

LIFERAY STAFF

Rang: Liferay Master

Nachrichten: 959

Eintrittsdatum: 10. März 2008

Neue Beiträge

Sandeep, can you provide additional details such as what parameters, and which portlet this issue affects so that Liferay can be patched if needed.
Maulin Rathod
RE: Security Flaw - Possibility to intercept request
17. März 2009 19:03
Antwort

Maulin Rathod

Rang: Junior Member

Nachrichten: 61

Eintrittsdatum: 6. November 2008

Neue Beiträge

My Account Portlet has following hidden parameters which can be manipulated by user.

parameter name= _2_organizationIds - - User can change its organisation.

parameter name= _2_cmd -- user can update parameter value from update to add(so it will create new user).

parameter name= _2_emailAddress -- user can update email address
Sandeep Nair
RE: Security Flaw - Possibility to intercept request
18. März 2009 04:06
Antwort

Sandeep Nair

Rang: Liferay Legend

Nachrichten: 1692

Eintrittsdatum: 5. November 2008

Neue Beiträge

Yeap those are the parameters.
Bruno Farache
RE: Security Flaw - Possibility to intercept request
18. März 2009 08:40
Antwort

Bruno Farache

LIFERAY STAFF

Rang: Liferay Master

Nachrichten: 502

Eintrittsdatum: 14. Mai 2007

Neue Beiträge

Are you logged in with an user that has permissions to make these changes?

If you are logged in as admin, then yes, you have permissions to make these changes.
Samuel Kong
RE: Security Flaw - Possibility to intercept request
18. März 2009 11:34
Antwort

Samuel Kong

LIFERAY STAFF

Rang: Liferay Master

Nachrichten: 959

Eintrittsdatum: 10. März 2008

Neue Beiträge

There is no security issue related with those parameters.

_2_cmd -- Checked on line 173 and 571in UserServiceImpl

_2_organizationIds -- Check on line 598 in UserServiceIMpl

_2_emailAddress -- users should be able to update their email address.


* Line numbers based on revision 27984
Sandeep Nair
RE: Security Flaw - Possibility to intercept request
18. März 2009 22:22
Antwort

Sandeep Nair

Rang: Liferay Legend

Nachrichten: 1692

Eintrittsdatum: 5. November 2008

Neue Beiträge

Hi Bruno,

Actually we are using Webscarab to intercept the requests , then modify the parameters and send it again.

Regards,
Sandeep
Sandeep Nair
RE: Security Flaw - Possibility to intercept request
18. März 2009 23:29
Antwort

Sandeep Nair

Rang: Liferay Legend

Nachrichten: 1692

Eintrittsdatum: 5. November 2008

Neue Beiträge

Heres how we can edit organization using firebug.

Login as a normal user who is not admin.

Go to My Accounts. Right now the organization is Maulin Org as shown below




Next using firebug edit organizationid as shown below. I have changed organizationid to 12401. Click on save button




The organization is updated to Sandy's Organization as show below.



Regards,
Sandeep