Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Liferay - Local File Inclusion

By kannthu

High
Vidoc logoVidoc Module
#liferay#lfi#j2ee
Description

What is "Liferay - Local File Inclusion?"

The "Liferay - Local File Inclusion" module is designed to detect a vulnerability in the Liferay software. Liferay is a popular J2EE-based platform used for building enterprise portals and websites. This module specifically targets the Liferay software and identifies instances of local file inclusion (LFI) vulnerabilities.

This vulnerability is classified as CWE-22 and has a severity level of high. It can potentially allow an attacker to include and execute arbitrary files from the local file system, leading to unauthorized access, data leakage, or even remote code execution.

This module was authored by DhiyaneshDk.

Impact

A successful exploitation of the Liferay LFI vulnerability can have serious consequences. It can expose sensitive information stored on the server, compromise user privacy, and potentially lead to further attacks on the system. It is crucial to address and mitigate this vulnerability to ensure the security of the Liferay platform.

How the module works?

The "Liferay - Local File Inclusion" module works by sending an HTTP request to the target Liferay server. The request is crafted to include a specific file path in the URL, such as "/en/WEB-INF/web.xml;.js". The module then applies a series of matching conditions to determine if the LFI vulnerability exists.

The matching conditions include:

- Checking the response body for specific words like "If all the matching conditions are met, the module reports the presence of the Liferay LFI vulnerability.

It is important to note that this module is just one test case within the Vidoc platform, which utilizes multiple modules to perform comprehensive scanning and detection of various misconfigurations, vulnerabilities, and software fingerprints.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/en/WEB-INF/web.xml;...
Matching conditions
word: <web-app id=, <?xmland
word: application/xmland
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability