Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-15732

Denial of service vulnerability via crafted URL

    Details

    • Fix Pack Status:
      Scheduled
    • 7.0 Fix Pack Version:
      22

      Description

      Denial of service vulnerability via crafted URL.

      AggregateFilter, MinifierFilter and DynamicCSSFilter allows unauthenticated users to cause a denial of service (disk consumption) via crafted URL.

      Solution Notes - 6.2 and prior versions:
      -------------------------------------------------
      The following property has also been added:

      portal.properties
      ##
      ## Cache File Name Contributors
      ##
      
          #
          # Input a list of comma delimited class names that implement
          # com.liferay.portal.servlet.filters.util.CacheFileNameContributor.
          #
          # These classes contribute to the cache file names for static resources in
          # AggregateFilter and DynamicCSSFilter.
          #
          cache.file.name.contributors=\
              \
              #com.liferay.portal.servlet.filters.util.ColorSchemeIdCacheFileNameContributor,\
              \
              com.liferay.portal.servlet.filters.util.LanguageIdCacheFileNameContributor,\
              com.liferay.portal.servlet.filters.util.MinifierTypeCacheFileNameContributor,\
              com.liferay.portal.servlet.filters.util.ThemeIdCacheFileNameContributor
      

      For 6.1 and 6.0 versions, the property description says MinifierFilter which was later replaced by AggregateFilter as of 6.2.

      See also https://web.liferay.com/group/customer/products/portal/security-vulnerability/lsv-311

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                joshua.cords Joshua Cords
                Reporter:
                jose.jimenez Jose Jimenez
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Packages

                  Version Package
                  6.0.X EE
                  6.1.X EE
                  6.2.X EE
                  7.0.X EE