Foren
Security Flaw - Possibility to intercept request
Sandeep Nair, geändert vor 15 Jahren.
Security Flaw - Possibility to intercept request
Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
Hi,
We are using Webscarab for penetration testing. And it is found that we can change parameters by intercepting the request using Webscarab
Is there a way by which i can make sure the request even if intercepted cannot be manipulated by anyone?
Regards,
Sandeep
We are using Webscarab for penetration testing. And it is found that we can change parameters by intercepting the request using Webscarab
Is there a way by which i can make sure the request even if intercepted cannot be manipulated by anyone?
Regards,
Sandeep
Maulin Rathod, geändert vor 15 Jahren.
RE: Security Flaw - Possibility to intercept request
Junior Member Beiträge: 61 Beitrittsdatum: 06.11.08 Neueste Beiträge
This is serious issue. User can modify request parameters using tools like firebug. By manipulating parameters user can perform actions for which user has not previlage.
How we can handle it? Any help on this will be greatly appreciated.
How we can handle it? Any help on this will be greatly appreciated.
Samuel Kong, geändert vor 15 Jahren.
RE: Security Flaw - Possibility to intercept request
Liferay Legend Beiträge: 1902 Beitrittsdatum: 10.03.08 Neueste Beiträge
Sandeep, can you provide additional details such as what parameters, and which portlet this issue affects so that Liferay can be patched if needed.
Maulin Rathod, geändert vor 15 Jahren.
RE: Security Flaw - Possibility to intercept request
Junior Member Beiträge: 61 Beitrittsdatum: 06.11.08 Neueste Beiträge
My Account Portlet has following hidden parameters which can be manipulated by user.
parameter name= _2_organizationIds - - User can change its organisation.
parameter name= _2_cmd -- user can update parameter value from update to add(so it will create new user).
parameter name= _2_emailAddress -- user can update email address
parameter name= _2_organizationIds - - User can change its organisation.
parameter name= _2_cmd -- user can update parameter value from update to add(so it will create new user).
parameter name= _2_emailAddress -- user can update email address
Sandeep Nair, geändert vor 15 Jahren.
RE: Security Flaw - Possibility to intercept request
Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
Yeap those are the parameters.
Bruno Farache, geändert vor 15 Jahren.
RE: Security Flaw - Possibility to intercept request
Liferay Master Beiträge: 603 Beitrittsdatum: 14.05.07 Neueste Beiträge
Are you logged in with an user that has permissions to make these changes?
If you are logged in as admin, then yes, you have permissions to make these changes.
If you are logged in as admin, then yes, you have permissions to make these changes.
Sandeep Nair, geändert vor 15 Jahren.
RE: Security Flaw - Possibility to intercept request
Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
Hi Bruno,
Actually we are using Webscarab to intercept the requests , then modify the parameters and send it again.
Regards,
Sandeep
Actually we are using Webscarab to intercept the requests , then modify the parameters and send it again.
Regards,
Sandeep
Samuel Kong, geändert vor 15 Jahren.
RE: Security Flaw - Possibility to intercept request
Liferay Legend Beiträge: 1902 Beitrittsdatum: 10.03.08 Neueste Beiträge
There is no security issue related with those parameters.
_2_cmd -- Checked on line 173 and 571in UserServiceImpl
_2_organizationIds -- Check on line 598 in UserServiceIMpl
_2_emailAddress -- users should be able to update their email address.
* Line numbers based on revision 27984
_2_cmd -- Checked on line 173 and 571in UserServiceImpl
_2_organizationIds -- Check on line 598 in UserServiceIMpl
_2_emailAddress -- users should be able to update their email address.
* Line numbers based on revision 27984
Sandeep Nair, geändert vor 15 Jahren.
RE: Security Flaw - Possibility to intercept request
Liferay Legend Beiträge: 1744 Beitrittsdatum: 06.11.08 Neueste Beiträge
Heres how we can edit organization using firebug.
Login as a normal user who is not admin.
Go to My Accounts. Right now the organization is Maulin Org as shown below
Next using firebug edit organizationid as shown below. I have changed organizationid to 12401. Click on save button
The organization is updated to Sandy's Organization as show below.
Regards,
Sandeep
Login as a normal user who is not admin.
Go to My Accounts. Right now the organization is Maulin Org as shown below
Next using firebug edit organizationid as shown below. I have changed organizationid to 12401. Click on save button
The organization is updated to Sandy's Organization as show below.
Regards,
Sandeep