Liferay JSON Server API Authentication
https://packetstormsecurity.com/files/115242/liferayjson-bypass.txt
https://packetstormsecurity.com/files/115242/liferayjson-bypass.txthttps://packetstormsecurity.com/files/115242/Liferay-JSON-Server-API-Authentication.htmlFri, 03 Aug 2012 15:05:35 GMTThe Liferay JSON implementation does not check if a user calling a method on a serviceClass is disabled. Usually the default administrator user, test@liferay.com, is used to create a new administrator and disabled without a change to the default password, so it is possible to use it to execute JSON API calls. Versions 6.0.5 and 6.0.6 are vulnerable.