-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 6.2 EE GA1 (6.2.10), 7.0 DE (7.0.10)
-
Component/s: Portal Services > Templates Engine, Security Vulnerability
-
Fix Pack Status:Scheduled
-
7.0 Fix Pack Version:18
Velocity and FreeMarker templates does not properly restrict the use of some variables, which allow any user with permission to create a template to insert arbitrary code in any page, prevent access to the portal or access private information stored in the portal.
The fix includes the following configuration changes:
- DXP 7.0:
- System Settings - Foundation - FreeMarker Engine: "Restricted Variables" as below:
serviceLocator|utilLocator|objectUtil|staticFieldGetter|staticUtil
- System Settings - Foundation - Velocity Engine: "Restricted Variables" as below:
serviceLocator|staticFieldGetter|utilLocator
- System Settings - Foundation - FreeMarker Engine: "Restricted Variables" as below:
- 6.1, 6.2 EE: portal properties as below:
# # Set a comma delimited list of variables the Velocity engine cannot # have access to. This will affect Dynamic Data List templates, Journal # templates, and Portlet Display templates. # velocity.engine.restricted.variables=\ serviceLocator,\ staticFieldGetter,\ utilLocator # # Set a comma delimited list of variables the FreeMarker engine cannot # have access to. This will affect Dynamic Data List templates, Journal # templates, and Portlet Display templates. # freemarker.engine.restricted.variables=\ objectUtil,\ serviceLocator,\ staticFieldGetter,\ staticUtil,\ utilLocator
Please also see https://web.liferay.com/group/customer/products/portal/security-vulnerability/lsv-327.