Remote code execution in Calendar portlet

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 5.2.3, 5.2.9 EE, 6.0.6 GA, 6.0.12 EE, 6.1.0 CE GA1, 6.1.10 EE GA1
Fix Version/s: 6.1.1 CE GA2, 6.1.10 EE GA1, 6.1.20 EE GA2, 6.0.X EE, --Sprint 11/12, 6.2.0 CE M2
Component/s: Calendar, Collaboration, Security
Labels:
None

Similar Issues:
Show 2 results

Description

An attacker with access to JSON services can cause Java code written in the the title or the description of a calendar to execute. If the attacker also has permission to create events in the Calendar portlet, the attacker will be able to execute any Java code on the server.

Workaround

Disable JSON service's access to CalEventServiceUtil by adding "com.liferay.portlet.calendar.service.CalEventServiceUtil" to the "json.service.invalid.class.names" property in portal-ext.properties. For example:

json.service.invalid.class.names=\
    com.liferay.documentlibrary.service.DLLocalServiceUtil,\
    com.liferay.documentlibrary.service.DLServiceUtil,\
    com.liferay.mail.service.MailServiceUtil,\
    com.liferay.portal.service.CompanyServiceUtil,\
    com.liferay.portal.service.PortalServiceUtil,\
    com.liferay.portal.service.PortletServiceUtil,\
    com.liferay.portlet.calendar.service.CalEventServiceUtil

Activity

Hide

Permalink

Samuel Kong added a comment - 03/Jul/12 4:38 AM

The code for this ticket was committed under LPS-27726.

Show

Samuel Kong added a comment - 03/Jul/12 4:38 AM The code for this ticket was committed under LPS-27726.

People

Assignee:

SE Support

Reporter:

Samuel Kong

Participants of an Issue:

Samuel Kong, SE Support

Vote (0)

Watch (1)

Dates

Created:

03/Jul/12 4:06 AM

Updated:

08/Feb/13 4:35 PM

Resolved:

03/Jul/12 4:07 AM

Days since last comment:

46 weeks, 3 days ago

Agile

View on Board

~~LPS-9556~~	Path manipulation may lead to remote code execution
~~LPS-11748~~	Executing a new webservice