Liferay 6.1 json webservices are subject to cross-site request forgery attacks Description: Liferay Portal is an enterprise portal written in Java If a user is currently logged in to the portal (or has ticked the remember me box) then with a little help of social engineering (like sending a link via email/chat), an attacker can read most data the logged in user is priviliged to see. The reason for this is that the new json webservices let you pass along the name of a javascript function that should be called with the result of the invocation (jsonp). Because the HTML <script> tag does not respect the same origin policy in web browser implementations, a malicious page can request and obtain JSON data belonging to the portal by using the techniques described in this article http://www.xml.com/pub/a/2005/12/21/json-dynamic-script-tag.html Code demonstrating the vulnerability can be found at http://issues.liferay.com/secure/attachment/46878/fun.html Systems affected Liferay 6.1 ce Liferay 6.1 ee Vendor status : Liferay was notified may 7 2012 by filing a bug in their public bugtracker under issue number LPS-27174 The issue has not yet been resolved
