Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-16381

Remote code execution via Web Proxy application

Details

    • Scheduled
    • 5
    • 46

    Description

      The Web Proxy portlet/application allows remote attackers to execute arbitrary code via supplied stylesheet.

      Mitigation
      Portal administrators should review users with permission to add and configure the Web Proxy portlet/application. Permission to configure Web Proxy should be removed from any user who is not trusted.

      Upgrade Note
      The patch prevents users without the administrator role from adding the Web Proxy portlet/application to a page by default in new installations of Liferay DXP/Liferay Portal. For existing installations:

      1. Navigate to Control Panel > Configuration > Components > Portlets
      2. Locate and click on "Web Proxy"
      3. Locate the "Permissions" section
      4. Click on "Change" and remove the "Add to Page" permission from any role with users who are not trusted.
        • In most installations of Liferay DXP/Liferay Portal, the "Add to Page" permission should only be given to users with the "Administrator" role.

      See also https://web.liferay.com/group/customer/products/portal/security-vulnerability/lsv-373

      Attachments

        Activity

          People

            joshua.cords Joshua Cords
            tibor.lipusz Tibor Lipusz
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Packages

                Version Package
                6.1.X EE
                6.2.X EE
                7.0.X EE