Liferay 6.1 json webservices are subject to cross-site request forgery attacks

[Jelmer Kuperus <jelmer.advisories () gmail com>]

Liferay 6.1 json webservices are subject to cross-site request forgery attacks

Description:

Liferay Portal is an enterprise portal written in Java

If a user is currently logged in to the portal (or has ticked the
remember me box) then with a
little help of social engineering (like sending a link via
email/chat), an attacker can read most
data the logged in user is priviliged to see. The reason for this is
that the new json webservices
let you pass along the name of a javascript function that should be
called with the result of
the invocation (jsonp). Because the HTML <script> tag does not respect
the same origin policy in web
browser implementations, a malicious page can request and obtain JSON
data belonging to the portal
by using the techniques described in this article

http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html

Code demonstrating the vulnerability can be found at

http://issues.liferay.com/secure/attachment/46878/fun.html

Systems affected

Liferay 6.1 ce
Liferay 6.1 ee

Vendor status :

Liferay  was notified may 7 2012 by filing a bug in their public
bugtracker under issue number
LPS-27174 The issue has not yet been resolved