Security issue in SimpleCaptchaSecurity issue in SimpleCaptchahttps://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=1143397662026-04-07T10:22:57Z2026-04-07T10:22:57ZRE: Security issue in SimpleCaptchaMilen Dyankovhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1143530152019-07-18T14:34:24Z2019-07-18T14:34:24ZHi Mateusz Makos,<br /><br />I removed the view permissions from this entry as it is security related. <br />I'm told you are in contact with our security team via e-mail / JIRA so please keep using those channels.<br />Best,<br />MilenMilen Dyankov2019-07-18T14:34:24ZRE: Security issue in SimpleCaptchaTomáš Polešovskýhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1143427792019-07-17T13:39:54Z2019-07-17T13:39:54ZHi,I take a look at the problem. I'd like to ask you to send security sensitive topics to the community security team (security @ liferay.com). This is not severe issue but it's better to discuss things in private, you may put in risk customers and community deployments. Thank you. Tomáš Polešovský2019-07-17T13:39:54ZSecurity issue in SimpleCaptchaMateusz Makoshttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1143397652019-07-17T09:42:17Z2019-07-17T09:42:17Z<html><head></head><body>Hi,<br>I'm facing which security issue in Liferay default CAPTCHA. <br>Steps to reproduce error below :<br>As a Guest (not logged in user) I go to the site: <a href="http://localhost:8080/web/guest/home">http://localhost:8080/web/guest/home</a>. I click Sign In -> Create Account. I fill in the fields with data in such a way that after I click Save button the page will be reloaded and I get validation messager (e.g. if enter Screen name that already exist In database or I enter incorrect Text Verification). As a password I enter: test1. I click the Save button. After reloading the page I go to site source code. I'm looking for a previous entered password (phrase "test1"). I was able to find this phrase in 2 places. Code snippets below.<br>Code snippet 1:<br><pre><code><div class="taglib-captcha">
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;<img alt="Text to Identify" class="captcha" id="_com_liferay_login_web_portlet_LoginPortlet_captcha" src="http://localhost:8080/web/guest/home?p_p_id=com_liferay_login_web_portlet_LoginPortlet&amp;p_p_lifecycle=2&amp;p_p_state=maximized&amp;p_p_mode=view&amp;p_p_resource_id=%2Flogin%2Fcaptcha&amp;p_p_cacheability=cacheLevelPage&amp;p_p_lifecycle=1&amp;_com_liferay_login_web_portlet_LoginPortlet_redirect=&amp;_com_liferay_login_web_portlet_LoginPortlet_birthday=01%2F01%2F1970&amp;_com_liferay_login_web_portlet_LoginPortlet_lastName=test&amp;_com_liferay_login_web_portlet_LoginPortlet_javax.portlet.action=%2Flogin%2Fcreate_account&amp;_com_liferay_login_web_portlet_LoginPortlet_formDate=1563352565441&amp;_com_liferay_login_web_portlet_LoginPortlet_openId=&amp;_com_liferay_login_web_portlet_LoginPortlet_suffixValue=&amp;_com_liferay_login_web_portlet_LoginPortlet_languageId=en_US&amp;_com_liferay_login_web_portlet_LoginPortlet_prefixValue=&amp;_com_liferay_login_web_portlet_LoginPortlet_screenName=test&amp;_com_liferay_login_web_portlet_LoginPortlet_birthdayMonth=0&amp;_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName=%2Flogin%2Fcreate_account&amp;_com_liferay_login_web_portlet_LoginPortlet_firstName=test&amp;_com_liferay_login_web_portlet_LoginPortlet_emailAddress=test%40test.com&amp;_com_liferay_login_web_portlet_LoginPortlet_birthdayDay=1&amp;_com_liferay_login_web_portlet_LoginPortlet_middleName=&amp;_com_liferay_login_web_portlet_LoginPortlet_[b]password2=test1[/b]&amp;_com_liferay_login_web_portlet_LoginPortlet_captchaText=22222222222&amp;_com_liferay_login_web_portlet_LoginPortlet_cmd=add&amp;_com_liferay_login_web_portlet_LoginPortlet_[b]password1=test1[/b]&amp;_com_liferay_login_web_portlet_LoginPortlet_birthdayYear=1970&amp;t=1563352591357">
&nbsp;&nbsp; &nbsp;</div>
</code></pre>Code snippet 2:<br><pre><code>var refreshCaptcha = document.getElementById('_com_liferay_login_web_portlet_LoginPortlet_refreshCaptcha');
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;if (refreshCaptcha) {
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;refreshCaptcha.addEventListener(
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;'click',
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;function() {
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;var url = Liferay.Util.addParams('t=' + Date.now(), 'http\x3a\x2f\x2flocalhost\x3a8080\x2fweb\x2fguest\x2fhome\x3fp_p_id\x3dcom_liferay_login_web_portlet_LoginPortlet\x26p_p_lifecycle\x3d2\x26p_p_state\x3dmaximized\x26p_p_mode\x3dview\x26p_p_resource_id\x3d\x252Flogin\x252Fcaptcha\x26p_p_cacheability\x3dcacheLevelPage\x26p_p_lifecycle\x3d1\x26_com_liferay_login_web_portlet_LoginPortlet_redirect\x3d\x26_com_liferay_login_web_portlet_LoginPortlet_birthday\x3d01\x252F01\x252F1970\x26_com_liferay_login_web_portlet_LoginPortlet_lastName\x3dtest\x26_com_liferay_login_web_portlet_LoginPortlet_javax\x2eportlet\x2eaction\x3d\x252Flogin\x252Fcreate_account\x26_com_liferay_login_web_portlet_LoginPortlet_formDate\x3d1563352565441\x26_com_liferay_login_web_portlet_LoginPortlet_openId\x3d\x26_com_liferay_login_web_portlet_LoginPortlet_suffixValue\x3d\x26_com_liferay_login_web_portlet_LoginPortlet_languageId\x3den_US\x26_com_liferay_login_web_portlet_LoginPortlet_prefixValue\x3d\x26_com_liferay_login_web_portlet_LoginPortlet_screenName\x3dtest\x26_com_liferay_login_web_portlet_LoginPortlet_birthdayMonth\x3d0\x26_com_liferay_login_web_portlet_LoginPortlet_mvcRenderCommandName\x3d\x252Flogin\x252Fcreate_account\x26_com_liferay_login_web_portlet_LoginPortlet_firstName\x3dtest\x26_com_liferay_login_web_portlet_LoginPortlet_emailAddress\x3dtest\x2540test\x2ecom\x26_com_liferay_login_web_portlet_LoginPortlet_birthdayDay\x3d1\x26_com_liferay_login_web_portlet_LoginPortlet_middleName\x3d\x26_com_liferay_login_web_portlet_LoginPortlet_[b]password2\x3dtest1[/b]\x26_com_liferay_login_web_portlet_LoginPortlet_captchaText\x3d22222222222\x26_com_liferay_login_web_portlet_LoginPortlet_cmd\x3dadd\x26_com_liferay_login_web_portlet_LoginPortlet_[b]password1\x3dtest1[/b]\x26_com_liferay_login_web_portlet_LoginPortlet_birthdayYear\x3d1970');
&nbsp;var captcha = document.getElementById('_com_liferay_login_web_portlet_LoginPortlet_captcha');
if (captcha) {
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;captcha.setAttribute('src', url);
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;}
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;}
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;);
&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;}</code></pre><pre><code></code></pre>I was able to reproduce this error on LF 7.1 GA3 CE and LF 7.2 GA1 CE. I work on default LF create account portret (not modified). CAPTCHA settings in Control Panel is set to default. <br>Additional observations:<br><ul style="list-style: disc outside;"><li>error not occurs if I turn off CAPTCHA (go to Control Panel –> System Settings –> Security Tools in SECURITY section–> uncheck checkbox ‘Create Account CAPTCHA Enabled’)</li><li>it’s not relevant if I enter correct or incorrect Text Verification</li><li>error not occurs if I change CAPTCHA Engine to reCAPTCHA</li></ul>I suppose the problem occurs in Liferay implementation of CAPTCHA (SimpleCaptcha).<br>Is there any way to deal with this error without changing CAPTCHA engine or disabling CAPTCHA?</body></html>Mateusz Makos2019-07-17T09:42:17Z