Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-14370

CSRF attack using uploaded flash files in Message Boards attachments

    Details

      Description

      Flash does not strictly honor the same-origin policy. As a result, if an attacker is able to upload a malicious flash file to portal as a Message Boards attachment, the flash file can be used to circumvent the portal's CSRF protection.
      The fix requires LSV-55 to be also installed on 6.1 EE GA2, 6.1 EE GA1 and 6.0 EE SP2.

      See also https://web.liferay.com/group/customer/products/portal/security-vulnerability/lsv-171

        Attachments

          Activity

            People

            • Assignee:
              bryan.engler Bryan Engler
              Reporter:
              tibor.lipusz Tibor Lipusz
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                6.0.X EE
                6.1.X EE