Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-26935

All JSON web services are accessible without authentication.

    Details

      Description

      All JSON web services are, by default, accessible without authentication. Due to this vulnerability, anyone can create a new user with administrator rights.

      Workarounds

      Option 1: Turn off all JSON web services by adding the following to portal-ext.properties
      json.web.service.enabled=false

      Option 2: Disable anonymous access to JSON web services by adding the following to portal-ext.properties jsonws.web.service.public.methods=
      json.service.public.methods=

      Option 2 will help reduce the risk but will not completely eliminate the risk. Option 1 will eliminate the risk, but will also cause some portal functionality to no longer work.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                samuel.kong Samuel Kong
                Reporter:
                samuel.kong Samuel Kong
                Participants of an Issue:
                Recent user:
                Esther Sanz
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  7 years, 26 weeks, 1 day ago

                  Packages

                  Version Package
                  6.0.X EE
                  6.1.1 CE GA2
                  6.1.20 EE GA2
                  6.2.0 CE M2