Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-14755

Remote Code Execution and Privilege Escalation in templates

Details

    Description

      Remote Code Execution and Privilege Escalation in templates.

      Breaking Changes in 6.2
      Certain utility variables are now restricted therefore not available by default in a template (FreeMarker, Velocity) context. Please refer to the properties below:

          #
          # Set a comma delimited list of variables the FreeMarker engine cannot
          # have access to. This will affect Dynamic Data List templates, Journal
          # templates, and Portlet Display templates.
          #
          freemarker.engine.restricted.variables=\
              objectUtil,\
              serviceLocator,\
              staticUtil,\
              utilLocator
      
          #
          # Set a comma delimited list of variables the Velocity engine cannot
          # have access to. This will affect Dynamic Data List templates, Journal
          # templates, and Portlet Display templates.
          #
          velocity.engine.restricted.variables=\
              serviceLocator,\
              utilLocator
      

      If you are using any of these variables in your custom templates, you need to adjust these settings and remove the required one from the list of restricted variables.

      See also https://web.liferay.com/group/customer/products/portal/security-vulnerability/lsv-194

      Attachments

        Activity

          People

            michael.bowerman Michael Bowerman
            csaba.turcsan Csaba Turcsan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Packages

                Version Package
                6.0.X EE
                6.1.X EE
                6.2.X EE