Listen to this Post
The CVE describes an Insecure Direct Object Reference (IDOR) vulnerability within the Liferay Publications module. The flaw exists in the handling of the `_com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId` parameter. This user-controlled key is used to directly access a specific publication object without sufficient authorization checks. An authenticated attacker can manipulate this parameter’s value in HTTP requests to reference publications they do not own. The system fails to verify if the requesting user has the requisite ‘VIEW’ or ‘EDIT’ permissions for the targeted publication ID. Consequently, by iterating through different numeric `ctCollectionId` values, an attacker can bypass the application’s access control layer and successfully load the edit page of any arbitrary publication, thereby gaining unauthorized access to sensitive change tracking data.
Platform: Liferay Portal/DXP
Version: 7.3.1-7.4.3.111
Vulnerability: IDOR
Severity: Moderate
date: 2024-10-13
Prediction: Patch available
What Undercode Say:
curl -u "user:pass" "http://liferay-host/group/guest/~/control_panel/manage?p_p_id=com_liferay_change_tracking_web_portlet_PublicationsPortlet&_com_liferay_change_tracking_web_portlet_PublicationsPortlet_ctCollectionId=ATTACKER_ID"
// Example vulnerable parameter mapping long ctCollectionId = ParamUtil.getLong(actionRequest, "ctCollectionId"); Publication publication = PublicationLocalServiceUtil.getPublication(ctCollectionId); // Missing auth check
How Exploit:
Manipulate `ctCollectionId` parameter.
Bypass publication view authorization.
Access unauthorized publication edit pages.
Protection from this CVE:
Apply vendor patch.
Implement access control checks.
Validate user permissions.
Impact:
Unauthorized data access.
Information disclosure.
Change tracking exposure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
