[LPS-28309] Directory Traversal - Liferay Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Resolution: Fixed
Affects Version/s: 6.0.6 GA, 6.0.12 EE, 6.1.0 CE GA1, 6.1.10 EE GA1
Fix Version/s: 6.0.X EE, 6.1.1 CE GA2, 6.1.10 EE GA1, 6.1.20 EE GA2, --Sprint 11/12, 6.2.0 CE M2
Component/s: Accessibility, Knowledge Base widget, Message Boards, Security Vulnerability, Wiki, ~ [Archived] Collaboration
Labels:
None

Description

6.1.X
Servers using the FileSystemStore (default) or the AdvancedFileSystemStore to persist documents in the document library (dl.store.impl in portal.properties) are vulnerable to a directory traversal attacks. By manipulating the URL in the Message Boards, Wiki, or Knowledge Base portlet, an attacker can access any file on the server.

6.0.X
Servers using the FileSystemHook (default) or the AdvancedFileSystemHook to persist documents in the document library (dl.hook.impl in portal.properties) are vulnerable to a directory traversal attacks. By manipulating the URL in the Message Boards, Wiki, or Knowledge Base portlet, an attacker can access any file on the server.

Attachments

Activity

People

Assignee:: SE Support

Reporter:: Samuel Kong

Participants of an Issue:: Samuel Kong, SE Support

Recent user:: Esther Sanz

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 03/Jul/12 2:20 AM

Updated:: 01/Dec/15 6:23 AM

Resolved:: 03/Jul/12 2:22 AM

Days since last comment:: 9 years, 4 weeks, 3 days ago

Packages

Version	Package
6.0.X EE
6.1.1 CE GA2
6.1.10 EE GA1
6.1.20 EE GA2
--Sprint 11/12
6.2.0 CE M2