[LPS-28309] Directory Traversal - Liferay Issues

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 6.0.6 GA, 6.0.12 EE, 6.1.0 CE GA1, 6.1.10 EE GA1
Fix Version/s: 6.0.X EE, 6.1.1 CE GA2, 6.1.10 EE GA1, 6.1.20 EE GA2, --Sprint 11/12, 6.2.0 CE M2
Component/s: Accessibility, Collaboration, Collaboration > Message Boards, Collaboration > Wiki, Knowledge Base, Security Vulnerability
Labels:
None

Description

6.1.X
Servers using the FileSystemStore (default) or the AdvancedFileSystemStore to persist documents in the document library (dl.store.impl in portal.properties) are vulnerable to a directory traversal attacks. By manipulating the URL in the Message Boards, Wiki, or Knowledge Base portlet, an attacker can access any file on the server.

6.0.X
Servers using the FileSystemHook (default) or the AdvancedFileSystemHook to persist documents in the document library (dl.hook.impl in portal.properties) are vulnerable to a directory traversal attacks. By manipulating the URL in the Message Boards, Wiki, or Knowledge Base portlet, an attacker can access any file on the server.

Activity

Hide

Permalink

Samuel Kong added a comment - 03/Jul/12 4:39 AM

The code for this ticket was committed under LPS-27838.

Show

Samuel Kong added a comment - 03/Jul/12 4:39 AM The code for this ticket was committed under LPS-27838.

People

Assignee:

SE Support

Reporter:

Samuel Kong

Recent user:

Esther Sanz

Participants of an Issue:

Samuel Kong, SE Support

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

03/Jul/12 2:20 AM

Updated:

01/Dec/15 6:23 AM

Resolved:

03/Jul/12 2:22 AM

Days since last comment:

4 years, 13 weeks, 3 days ago

Development

Agile

View on Board

Subcomponents