Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-14370

CSRF attack using uploaded flash files in Message Boards attachments

    Details

      Description

      Flash does not strictly honor the same-origin policy. As a result, if an attacker is able to upload a malicious flash file to portal as a Message Boards attachment, the flash file can be used to circumvent the portal's CSRF protection.
      The fix requires LSV-55 to be also installed on 6.1 EE GA2, 6.1 EE GA1 and 6.0 EE SP2.

      See also https://web.liferay.com/group/customer/products/portal/security-vulnerability/lsv-171

        Attachments

          Activity

            People

            Assignee:
            bryan.engler Bryan Engler
            Reporter:
            tibor.lipusz Tibor Lipusz
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Packages

                Version Package
                6.0.X EE
                6.1.X EE