Liferay Json Service Multiple Information Leakage

Tested Versions:

Liferay Portal 4.x and 5.x

Minded Security ReferenceID:



Discovered by
Stefano Di Paola of Minded Security
stefano.dipaola [_at_]



High: it is possible to access functionalities and
sensitive users’ information.


Grant access only to standard web functionalities and prevent direct
access to JSON service.


It is possible to access several classes and static methods and obtain several sensitive information.


It is possible to access several methods making a direct request to the following URL


via POST with a payload like the following:


An authenticated user can perform a request like the previous to obtain an answer from the server like the following:

HTTP/1.1 200 OK

FunctionNameJs({response JSON object});

It was possible to analize the accessible methods and it was noted that several classes and static methods are accessible, but a lot of them perform access control.
However, there are several methods that return information about users that do not perform administrative access control or that are allowed to logged users. This methods can be used to obtain sensitive information.
For example, an attacker could use the method “getRoleUsers” in order to obtain internal Liferay passwords in SHA-1 format coded in Base64 making the following request (administrative role id is 10107).

POST /c/portal/json_service HTTP/1.1


HTTP/1.1 200 OK


As it is possible to see, inside the server answere there is the object related to
the admin user with his own password in SHA-1 format (without salt).

Disclosure Timeline

25/10/09 Issue found
12/05/10 Reported to Vendor


The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information.

In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Any use of this information is at the user’s own risk. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of Minded Security Research Lab. If you wish to reprint the whole or any part of this Alert in any other medium excluding
electronic medium, please e-mail for permission.


Implement the right DevSecOps automation and Continuous Web Application Scanning for your needs.

consulting minded security


We are a Consultancy Company focused in supporting Companies to develop secure products.

testing minded security


We performs software security analysis in white box mode and black box mode.

training minded security


Training and awareness in software security is critical for information security.