Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-15751

Information disclosure with restricted pages

    Details

    • 7.0 Fix Pack Version:
      13

      Description

      Regression in liferay-fixpack-portal-136-6210.

      A user attempting to access a restricted page where the user dose not have permission to access is shown an error message indicating that the user does not have permission. This behavior allows an attacker to determine which page URLs are valid.

          #
          # Set this to true to prompt a guest user to login when attempting to access
          # a protected page resource in the portal. By setting this value to false,
          # the portal will inform all users that a requested resource is not found if
          # they have no entitlements to view the resource. The portal will not prompt
          # for login even if the user is a guest user. This behavior complies with
          # OWASP best practices.
          #
          auth.login.prompt.enabled=true
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              alec.shay Alec Shay
              Reporter:
              norbert.kocsis Norbert Kocsis (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package
                  6.2.X EE
                  7.0.X EE