Issue
- An organization's member list can be seen by manipulating the role member assign(groupID) in a request.
-
Here are the steps to reproduce:
-
Setup browser proxy to 127.0.0.1:8180. For example with Chrome, navigate to Settings > System > Open your computer’s proxy settings
-
Download, install, and open Burp Suite Community Edition to track network traffic:
-
Start a temporary project in memory
-
Select use Burp defaults and then click Start Burp
-
Disable/uncheck the existing default listener
-
Navigate to Proxy > Proxy Settings > Proxy listeners > Add
-
Set the Interface from the Binding tab:
-
Bind to port: 8180
-
-
Set the Redirect from the Request handling tab:
-
Redirect to host: 127.0.0.1
-
Redirect to port: 8080
-
-
-
Navigate to http://127.0.0.1:8180
-
Create 2 new organizations named “orgA” and “orgB” by navigating to Control Panel -> Users and Organizations -> Organizations -> New
-
Create a new user “userA” and assign them to orgA
-
Create a new user “userB” and assign them to orgB
-
Assign userA as an Organization Admin for orgA
-
Open orgB’s kebab menu and select Assign Organization Roles
-
Select Account Manager
-
From Burp, enable intercept by clicking Intercept off
-
Navigate back to the Liferay portal and click the Search icon
-
Copy the value of _com_liferay_roles_selector_web_portlet_RolesSelectorPortlet_groupId from the request body
-
From Burp, disable intercept by clicking Intercept on
-
Impersonate or sign-in as userA
-
Repeat steps 8-11 for orgA
-
Find and replace orgA’s groupId with the one for orgB (step 12)
-
From Burp, click forward a couple of times to forward the request.
Expected Results
An organization’s users should not be leaked as a result of modifying the request body.
Actual Results
Organization B’s users are displayed in the UI.
-
Environment
- DXP 7.4
Resolution
- Request a hotfix that includes this fix: LPD-54145