Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-16381

Remote code execution via Web Proxy application

    Details

    • Fix Pack Status:
      Scheduled
    • Business Value:
      5
    • 7.0 Fix Pack Version:
      46

      Description

      The Web Proxy portlet/application allows remote attackers to execute arbitrary code via supplied stylesheet.

      Mitigation
      Portal administrators should review users with permission to add and configure the Web Proxy portlet/application. Permission to configure Web Proxy should be removed from any user who is not trusted.

      Upgrade Note
      The patch prevents users without the administrator role from adding the Web Proxy portlet/application to a page by default in new installations of Liferay DXP/Liferay Portal. For existing installations:

      1. Navigate to Control Panel > Configuration > Components > Portlets
      2. Locate and click on "Web Proxy"
      3. Locate the "Permissions" section
      4. Click on "Change" and remove the "Add to Page" permission from any role with users who are not trusted.
        • In most installations of Liferay DXP/Liferay Portal, the "Add to Page" permission should only be given to users with the "Administrator" role.

      See also https://web.liferay.com/group/customer/products/portal/security-vulnerability/lsv-373

        Attachments

          Activity

            People

            • Assignee:
              joshua.cords Joshua Cords
              Reporter:
              tibor.lipusz Tibor Lipusz
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                6.1.X EE
                6.2.X EE
                7.0.X EE