Security vulnerabilities are a primary concern for any web application, and one of the most common types of attacks is SQL injection. Today, we're going to explore the CVE-2022-42122 vulnerability, which is a SQL injection vulnerability found in the Friendly Url module of Liferay Portal 7.3.7 and Liferay DXP 7.3 fix packs 2 through 4. This vulnerability allows attackers to execute arbitrary SQL commands by injecting malicious payload into the title field of a friendly URL.

But first, let's understand Liferay, the platform under attack.

What is Liferay?

Liferay Portal is an open-source enterprise portal software solution that is designed to be used for intranets, extranets, and websites. It is built on top of the Java programming language and provides a powerful platform for developing web applications and services.

Liferay DXP (Digital Experience Platform) is the enterprise edition of Liferay Portal, which comes with additional features and support for enterprise customers.

The Vulnerability - CVE-2022-42122

CVE-2022-42122 is a SQL injection vulnerability that affects the Friendly Url module of Liferay Portal 7.3.7 and Liferay DXP 7.3 fix packs 2 through 4.

In the affected versions, an attacker can manipulate the title field of a friendly URL to include malicious SQL code, which could potentially allow unauthorized access, lead to the disclosure of sensitive information or even destruction/corruption of data.

Here's a simple example of a malicious payload

'; DROP TABLE users; --

Exploit Details

To demonstrate the exploit, let's assume an attacker modifies the title field of a friendly URL to include the SQL injection payload, as shown in the example above.

The unsuspecting application then concatenates this input into an SQL query, like the following

SELECT * FROM content WHERE title = ''; DROP TABLE users; --'

It selects content records with an empty title (which would usually return no results).

2. It executes the injected SQL command (DROP TABLE users) which would delete the "users" table from the database.

As a result, sensitive data could be exposed or compromised due to the malicious SQL commands executed by the attacker.

Mitigation Measures and Fixes

Liferay has acknowledged the vulnerability and released updates to address it. To protect your Liferay Portal or Liferay DXP application from this vulnerability, apply the relevant updates:

For Liferay DXP 7.3, apply fix pack 5 or later.

Moreover, it is always a good practice to follow secure coding guidelines to prevent SQL injection vulnerabilities. Here are some tips:

1. Use prepared statements or parameterized queries instead of concatenating user inputs into SQL queries.
2. Employ input validation techniques, such as whitelisting or regular expressions, to restrict user inputs to a specific format.

Escape and sanitize user inputs before using them in SQL queries.

4. Employ the principle of least privilege, ensuring that database accounts have limited access and permissions.

Conclusion

CVE-2022-42122 is a SQL injection vulnerability in the Friendly Url module of Liferay Portal 7.3.7 and Liferay DXP 7.3 fix packs 2 through 4. By injecting malicious payloads into the title field of a friendly URL, attackers can potentially execute arbitrary SQL commands, which may lead to unauthorized access or compromise of sensitive data. This vulnerability has been addressed in subsequent Liferay releases, but it serves as a reminder of the importance of secure coding practices and timely patching.

References

1. Liferay Portal 7.3.7 Release Notes
2. Liferay DXP 7.3 Fix Pack Release Notes
3. Secure Coding Guidelines

Timeline

Published on: 11/15/2022 01:15:00 UTC
Last modified on: 11/17/2022 15:00:00 UTC