Details

      Description

      I ran into a security issue in liferay 6.0.6 that turned out to be fixed in trunk already
      It was independently discovered by another person.
      The ticket that was created for this issue is LPS-18184.

      The issue was resolved in the following way :

      Proxying is allowed only when :

      1. The domain is listed in a whitelist
      2. The domain is that of a virtual host assigned to a Liferay layout set

      This is not sufficient. For instance If :

      You had Liferay set up with the Solr plugin and
      You are running Solr on the same host using the default standalone server

      Then an attacker could in many cases directly access Solr by specifying a liferay layoutset host but the solr port. This would allow access to all data stored within solr.

      This also could be used as a tool to figure out what services are available on the server
      For example :

      The response of

      http://www.liferay.com/c/portal/rest_proxy?url=http://www.liferay.com:3306

      indicates that liferay.com is running mysql

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              paul.piao Paul Piao (Inactive)
              Reporter:
              jelmer Jelmer Kuperus (Inactive)
              Participants of an Issue:
              Recent user:
              Esther Sanz
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                9 years, 5 weeks, 3 days ago

                  Packages

                  Version Package
                  6.0.X EE
                  6.1.1 CE GA2
                  6.1.20 EE GA2
                  --Sprint 11/12
                  6.2.0 CE M2