Liferay Local File Inclusion Scanner

Liferay is a popular enterprise-level open-source portal software used globally by businesses, nonprofits, and government agencies for creating and managing complex web-based applications. It provides an integrated platform for content management, collaboration, and social networking, facilitating the development of robust digital experiences for users. Liferay is often used in intranet and extranet environments due to its flexibility, scalability, and support for customisation. Organizations leverage Liferay for its modular architecture, which enables them to extend functionality as needed. Companies choose Liferay for digital solutions that need to support multiple languages, diverse workflows, and high performance. Its integration capabilities allow seamless connection with various enterprise systems, making it a valuable tool for creating a cohesive digital ecosystem.

Local File Inclusion (LFI) is a type of vulnerability that arises when an application includes files without proper validation. This can allow attackers to manipulate input parameters so that local files on the server are executed or displayed rather than the intended files. By exploiting an LFI vulnerability, attackers can potentially gain access to sensitive information on the server. In some cases, LFI vulnerabilities can be exploited further to execute arbitrary code, thereby gaining complete control over the server environment. It is a high-risk vulnerability, often targeted in penetration testing to assess the security posture of a web application.

Liferay’s vulnerability in the I18n Servlet allows for Local File Inclusion by leaking information through HTTP requests to specific file paths. Attackers can target URLs formatted as /[language]/[resource];.js or .jsp to access internal files. The vulnerable endpoint is susceptible when the application improperly handles filenames or lacks input sanitisation. An attacker can potentially leverage this entrance point to access files like configuration files containing sensitive data. Testing has shown that requests that simulate common file paths can lead to information disclosure, evidenced by returned XML data in the HTTP response. The vulnerability lies in the servlet's handling of request paths that correspond to local filesystem references.

When exploited, this LFI vulnerability can expose sensitive configuration files, application secrets, or even user data stored locally on the server. This could lead to unauthorized access to the server environment, enabling the attacker to conduct further harmful activities such as defacement, data theft, or service disruption. In severe cases, the vulnerability could be used to escalate privileges, resulting in a more complete server compromise. Thus, it represents a significant security threat to any organization running vulnerable versions of Liferay without proper mitigations in place.

REFERENCES

• https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/LiferayI18nServletResourceLeaks.java