Details

    • Business Value:
      3
    • CVSS Base Score:
      4.3
    • CVSS Vector String:
      CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
    • 7.1 Fix Pack Version:
      17

      Description

      In Liferay DXP 7.1 and DXP 7.0, JAX-RS APIs are vulnerable to CSRF attacks.

      Custom JAX-RS/REST services may require adjustments after installing DXP 7.0 FP90+/DXP 7.1 FP17+.

      You can get HTTP 403 error when invoking your custom endpoint after moving to a patch level indicated above, if you don't provide a valid p_auth token with your request.

      To fix this, you need to adjust your custom JAX-RS Application.

      Option A: Disable CSRF checks for the affected endpoint

      you can disable the Authentication Token (p_auth) token check for your custom endpoint, by adding

       "auth.verifier.auth.verifier.PortalSessionAuthVerifier.check.csrf.token=false"
      

      to the properties of your Application, like this:

      @Component( property = {
        JaxrsWhiteboardConstants.JAX_RS_APPLICATION_BASE + "=/greetings",
        JaxrsWhiteboardConstants.JAX_RS_NAME + "=Greetings.Rest",
        "auth.verifier.auth.verifier.PortalSessionAuthVerifier.check.csrf.token=false"
       },
       service = Application.class
      )
      

      Option B: Provide CSRF Token

      Alternatively, you can provide the CSRF token by passing it as a query parameter called "p_auth" (e.g: http://localhost:8080/o/greetings/morning?p_auth=oyc51agu)

        Attachments

          Activity

            People

            • Assignee:
              support-ee EE Support
              Reporter:
              tibor.lipusz Tibor Lipusz
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                7.0.X EE
                7.1.x EE