[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Liferay 6.1 can be compromised in its default configuration

Liferay 6.1 can be compromised in its default configuration


Liferay Portal is an enterprise portal written in Java

By utilizing the json webservices exposed by the platform you can
register a new user with any role in the system, including the built
in administrator role.
The problem lies in the addUser method of UserServiceUtil which
accepts a roleIds parameter. There are no checks on whether the
calling user has rights to assign this role. User self-registration
needs to be enabled on the portal to execute this attack.

Proof of concept:

Code demonstrating the vulnerability can be found at


Systems affected:

Liferay 6.1 ce is confirmed to be vulnerable
Liferay 6.1 ee is most likely vulnerable
Liferay 6 is probably only vulnerable when soap,hessian,burlap or
httpinvoker services are available to the attacker

Vendor status :

Liferay  was notified april 15 2012 by filing a bug in their public
bugtracker under issue number LPS-26705. The issue has since been
flagged as private and has not yet been resolved.