The UIDAI Resident Portal (with read access to entire Aadhaar Demographic data) is runing a vulnerable version of LifeRay software. It is running LifeRay 6.1, which was declared End-of-Life in Febrary 2016.
This release includes multiple known vulnerabilities, including:
- A XSS issue, for which a PoC can be found at resident.uidai.gov.in (Picture Credits: @sanitarypanels)
- Multiple RCEs: See issue-62 for eg.
You can find a simple Proof of Concept for the XSS issue at resident.uidai.gov.in.
$CDN_HOST/Resident-theme/js/custom.js, in this case
https://scan.bb8.fun/Resident-theme/js/custom.js which hosts a small snippet to overwrite the HTML of the page.
It shows up like:
The current script allows for embeding any tweet using a
tweet parameter. To embed:
Go to any tweet, copy the part after
twitter.com and pass it as the
tweet parameter. For eg, to embed this tweet:
- Look at the URL:
13footwall/status/979301578686345216and pass it as the
- The URL becomes
- SHARE IT
I initially reported this to
firstname.lastname@example.org in Jan 2017:
Forgot all about it till Jan 2018, when someone mentioned I should try my luck with CERT-IN instead:
There is some confusion regarding which version of LifeRay is UIDAI running. They seem to be running 6.1.1, released in 2013-02-26.
The exact version is not relevant to the fact that UIDAI is:
- running an unsupported release
- which is 5 year old
- not updating it despite being notified multiple times
0800 16-Sep: UIDAI seems to have patched the issue by putting a block on the
cdn_host parameter. This still leaves them vulnerable to multiple vulnerabilities until they update to a supported release.
The vulnerability is still not fixed. Here is a complete timeline:
|16 Jan 2017||Initially reported to
|21 Jan 2018||Reported to
|19 Feb 2018||Reminder sent to
|19 Feb 2018||Acknowledgement from CERT|
|15 Mar 2018||Reminder sent. No response|
|17 Mar 2018||Notified NCIIPC|
|18 Mar 2018||Confirmation from NCIIPC asking for more details. I replied back with a quote of previous exchange|
|19 Mar 2018||Confirmation from NCIIPC thanking me for the report.|
|19 Apr 2018||Reminder sent to UIDAI asking for acknowledgement|
|30 May 2018||Reminder sent to NCIIPC and CERT asking for updates|
The only change that I’m aware of since my initial report is that the website stopped declaring the LifeRay version in a HTTP response Header.