When using the AuthLoginPrompt component, if the value of the auth.login.prompt.enabled component is set to false, this issue can be exploited to obtain unauthenticated access to the portal. When this issue occurs in Liferay Portal v7.0.0 through v7.4.2, the following can be observed: In the Web console, under the Access panel, an attacker can see the full path to the requested page. For example: /index.jsp If a user has been granted access to a particular page, the attacker can see the username of the user. If there is a certain page that should be restricted to users with a certain role, the attacker can enumerate the roles of the user by viewing the page path. For example: /admin/users/123/role.xhtml In the role.xhtml page, the attacker can see the full path to the requested page. For example: /admin/users/123/role.jsp If a user has been granted access to a particular page, the attacker can see the username of the user. If there is a certain page that should be restricted to users with a certain role, the attacker can enumerate the roles of the user by viewing the page path. For example: /admin/users/123/role.xhtml In the role.xhtml page, the attacker can see the full path to the requested page. For example: /admin/
References:
Liferay Security Advisory - https://www.liferay.com/security-advisories/CVE-2022-41414
CVE-2023-41415
When using the AuthLoginPrompt component, if the value of the auth.login.prompt.enabled component is set to false, this vulnerability can be exploited to obtain unauthenticated access to the portal. When this issue occurs in Liferay Portal v7.0.0 through v7.4.2, the following can be observed: In the Web console, under the Access panel, an attacker can see the full path to the requested page. For example: /index.jsp If a user has been granted access to a particular page, the attacker can see the username of the user. If there is a certain page that should be restricted to users with a certain role, the attacker can enumerate the roles of the user by viewing the page path. For example: /admin/users/123/role.xhtml In the role.xhtml page, an attacker can see all permissions assigned to a particular user or group of users by viewing their permissions in "View Users With Special Permissions" and "View Groups With Special Permissions".
Exploitation Steps
The following steps are performed by exploiting this vulnerability: 1. The attacker creates a new session by logging into the portal 2. The attacker navigates to a page which should be restricted for certain users 3. The attacker enters an unauthenticated request for that specific page 4. The attacker is granted access to the requested page
Timeline
Published on: 10/07/2022 18:15:00 UTC
Last modified on: 10/11/2022 12:54:00 UTC