Details

    • Similar Issues:
      Show 1 results 

      Description

      An attacker with access to JSON services can cause Java code written in the the title or the description of a calendar to execute. If the attacker also has permission to create events in the Calendar portlet, the attacker will be able to execute any Java code on the server.

      Workaround

      Disable JSON service's access to CalEventServiceUtil by adding "com.liferay.portlet.calendar.service.CalEventServiceUtil" to the "json.service.invalid.class.names" property in portal-ext.properties. For example:

      json.service.invalid.class.names=\
          com.liferay.documentlibrary.service.DLLocalServiceUtil,\
          com.liferay.documentlibrary.service.DLServiceUtil,\
          com.liferay.mail.service.MailServiceUtil,\
          com.liferay.portal.service.CompanyServiceUtil,\
          com.liferay.portal.service.PortalServiceUtil,\
          com.liferay.portal.service.PortletServiceUtil,\
          com.liferay.portlet.calendar.service.CalEventServiceUtil

        Activity

        Hide
        Samuel Kong added a comment -

        The code for this ticket was committed under LPS-27726.

        Show
        Samuel Kong added a comment - The code for this ticket was committed under LPS-27726.

          People

          • Assignee:
            SE Support
            Reporter:
            Samuel Kong
            Recent user:
            Randy Zhu
            Participants of an Issue:
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since last comment:
              2 years, 47 weeks, 1 day ago

              Development

                Structure Helper Panel