Web services accessible without authentication

Description

By carefully constructing a HTTP POST request, an attacker can execute any of the portal's web services. This vulnerability allows the attacker to circumvent both the permission system and the protection provided by the SecureFilter's portal properties:

xxx.servlet.hosts.allowed
xxx.servlet.https.required

Activity

Show:

Samuel Kong July 4, 2012 at 2:28 AM

The code for this ticket was committed under https://liferay.atlassian.net/browse/LPS-27046#icft=LPS-27046, https://liferay.atlassian.net/browse/LPS-27101#icft=LPS-27101, https://liferay.atlassian.net/browse/LPS-27102#icft=LPS-27102.

Fixed

Pinned fields

Click on the next to a field label to start pinning.

Details
Assignee
SE Support
Reporter
Samuel Kong(Deactivated)
Components
Accessibility
Portal Services
Portal Services > Legacy
Security Vulnerability
Fix versions
6.0.X EE
6.1.1 CE GA2
6.1.20 EE GA2
--Sprint 11/12
6.2.0 CE M2
Affects versions
6.0.6 GA
6.0.12 EE
6.1.0 CE GA1
6.1.10 EE GA1
Priority
Medium

Zendesk Support

Created July 4, 2012 at 2:27 AM

Updated June 24, 2023 at 4:00 PM

Resolved July 4, 2012 at 2:30 AM

Web services accessible without authentication

Description

Activity

Samuel Kong July 4, 2012 at 2:28 AM

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Priority

Zendesk SupportLinked Tickets

Zendesk Support

Zendesk Support