<img alt="Liferay" height="36" src="http://cdn.www.liferay.com/osb-www-theme/images/custom/heading.png" width="146" />

ランク: Liferay Legend

投稿数: 1671

参加年月日: 2008/11/05

Hi,

We are using Webscarab for penetration testing. And it is found that we can change parameters by intercepting the request using Webscarab

Is there a way by which i can make sure the request even if intercepted cannot be manipulated by anyone?

Regards,
Sandeep

RE: Security Flaw - Possibility to intercept request

2009/03/17 6:27

答え

Maulin Rathod

ランク: Junior Member

投稿数: 61

参加年月日: 2008/11/06

This is serious issue. User can modify request parameters using tools like firebug. By manipulating parameters user can perform actions for which user has not previlage.

How we can handle it? Any help on this will be greatly appreciated.

回答済みとする

RE: Security Flaw - Possibility to intercept request

2009/03/17 11:59

答え

Samuel Kong

LIFERAY STAFF

ランク: Liferay Master

投稿数: 899

参加年月日: 2008/03/10

Sandeep, can you provide additional details such as what parameters, and which portlet this issue affects so that Liferay can be patched if needed.

回答済みとする

RE: Security Flaw - Possibility to intercept request

2009/03/17 19:03

答え

Maulin Rathod

ランク: Junior Member

投稿数: 61

参加年月日: 2008/11/06

My Account Portlet has following hidden parameters which can be manipulated by user.

parameter name= _2_organizationIds - - User can change its organisation.

parameter name= _2_cmd -- user can update parameter value from update to add(so it will create new user).

parameter name= _2_emailAddress -- user can update email address

回答済みとする

RE: Security Flaw - Possibility to intercept request

2009/03/18 4:06

答え

ランク: Liferay Legend

投稿数: 1671

参加年月日: 2008/11/05

Yeap those are the parameters.

回答済みとする

RE: Security Flaw - Possibility to intercept request

2009/03/18 8:40

答え

Bruno Farache

LIFERAY STAFF

ランク: Expert

投稿数: 406

参加年月日: 2007/05/14

Are you logged in with an user that has permissions to make these changes?

If you are logged in as admin, then yes, you have permissions to make these changes.

回答済みとする

RE: Security Flaw - Possibility to intercept request

2009/03/18 11:34

答え

Samuel Kong

LIFERAY STAFF

ランク: Liferay Master

投稿数: 899

参加年月日: 2008/03/10

There is no security issue related with those parameters.

_2_cmd -- Checked on line 173 and 571in UserServiceImpl

_2_organizationIds -- Check on line 598 in UserServiceIMpl

_2_emailAddress -- users should be able to update their email address.

* Line numbers based on revision 27984

回答済みとする

RE: Security Flaw - Possibility to intercept request

2009/03/18 22:22

答え

ランク: Liferay Legend

投稿数: 1671

参加年月日: 2008/11/05

Hi Bruno,

Actually we are using Webscarab to intercept the requests , then modify the parameters and send it again.

Regards,
Sandeep

回答済みとする

RE: Security Flaw - Possibility to intercept request

2009/03/18 23:29

答え

ランク: Liferay Legend

投稿数: 1671

参加年月日: 2008/11/05

Heres how we can edit organization using firebug.

Login as a normal user who is not admin.

Go to My Accounts. Right now the organization is Maulin Org as shown below

Next using firebug edit organizationid as shown below. I have changed organizationid to 12401. Click on save button

The organization is updated to Sandy's Organization as show below.

Regards,
Sandeep