Listen to this Post
How the mentioned CVE works:
The vulnerability exists within the password reset mechanism of Liferay Portal and DXP. When a user requests a password reset, the system generates a unique token. Instead of securely storing a cryptographically strong hash of this token, the application writes the token itself in plaintext to the `Token_` table in the database. An attacker who gains read access to the database, through SQL Injection, compromised backups, or other means, can directly read these cleartext tokens. The attacker can then use the exposed token by visiting the password reset validation URL, which allows them to set a new password for the victim’s account, thereby compromising it completely. This bypasses the intended security of the token being a secret known only to the system and the user’s email.
Platform: Liferay Portal/DXP
Version: Multiple Versions
Vulnerability : Plaintext Token
Severity: Critical
date: 2024-XX-XX
Prediction: Patch Expected Q2 2024
What Undercode Say:
grep -r "Token_" /path/to/liferay/data/dir
SELECT token_ FROM Token_;
// Insecure storage token.setTokenValue(plainTextToken); // Secure storage would involve hashing token.setTokenValue(hashFunction(plainTextToken));
How Exploit:
1. Acquire database access (e.g., SQLi, backup leak).
- Query the `Token_` table for valid, unused tokens.
3. Navigate to the password reset confirmation URL.
- Submit the stolen token and set a new password.
Protection from this CVE:
Apply vendor patch. Implement database encryption. Restrict database access. Use secure hashing for tokens.
Impact:
Full account takeover. Privilege escalation. Unauthorized data access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
