CVE-2022-41414 The default in Liferay Portal v7.0.0 through v7.4.2 is insecure, allowing attackers to enumerate usernames, site names, and pages.

When using the AuthLoginPrompt component, if the value of the auth.login.prompt.enabled component is set to false, this issue can be exploited to obtain unauthenticated access to the portal. When this issue occurs in Liferay Portal v7.0.0 through v7.4.2, the following can be observed: In the Web console, under the Access panel, an attacker can see the full path to the requested page. For example: /index.jsp If a user has been granted access to a particular page, the attacker can see the username of the user. If there is a certain page that should be restricted to users with a certain role, the attacker can enumerate the roles of the user by viewing the page path. For example: /admin/users/123/role.xhtml In the role.xhtml page, the attacker can see the full path to the requested page. For example: /admin/users/123/role.jsp If a user has been granted access to a particular page, the attacker can see the username of the user. If there is a certain page that should be restricted to users with a certain role, the attacker can enumerate the roles of the user by viewing the page path. For example: /admin/users/123/role.xhtml In the role.xhtml page, the attacker can see the full path to the requested page. For example: /admin/

References:

Liferay Security Advisory - https://www.liferay.com/security-advisories/CVE-2022-41414

CVE-2023-41415

When using the AuthLoginPrompt component, if the value of the auth.login.prompt.enabled component is set to false, this vulnerability can be exploited to obtain unauthenticated access to the portal. When this issue occurs in Liferay Portal v7.0.0 through v7.4.2, the following can be observed: In the Web console, under the Access panel, an attacker can see the full path to the requested page. For example: /index.jsp If a user has been granted access to a particular page, the attacker can see the username of the user. If there is a certain page that should be restricted to users with a certain role, the attacker can enumerate the roles of the user by viewing the page path. For example: /admin/users/123/role.xhtml In the role.xhtml page, an attacker can see all permissions assigned to a particular user or group of users by viewing their permissions in "View Users With Special Permissions" and "View Groups With Special Permissions".

Exploitation Steps

The following steps are performed by exploiting this vulnerability: 1. The attacker creates a new session by logging into the portal 2. The attacker navigates to a page which should be restricted for certain users 3. The attacker enters an unauthenticated request for that specific page 4. The attacker is granted access to the requested page

Timeline

Published on: 10/07/2022 18:15:00 UTC
Last modified on: 10/11/2022 12:54:00 UTC

References

• https://portal.liferay.dev/learn/security/known-vulnerabilities
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41414