Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-28358

Web services accessible without authentication

    Details

      Description

      By carefully constructing a HTTP POST request, an attacker can execute any of the portal's web services. This vulnerability allows the attacker to circumvent both the permission system and the protection provided by the SecureFilter's portal properties:

      xxx.servlet.hosts.allowed
      xxx.servlet.https.required

        Attachments

          Activity

            People

            Assignee:
            support-lep@liferay.com SE Support
            Reporter:
            samuel.kong Samuel Kong
            Participants of an Issue:
            Recent user:
            Esther Sanz
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              9 years, 4 weeks, 3 days ago

                Packages

                Version Package
                6.0.X EE
                6.1.1 CE GA2
                6.1.20 EE GA2
                --Sprint 11/12
                6.2.0 CE M2