Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-32539

Security issue: possible clickjacking using iframe

    Details

      Description

      When using iFrame, there is the potential of clickjacking. The desire is that via liferay options, properties, or by some means provide a solution to prevent this. This is a possible scenario:

      1) Get the URL of a clean Liferay Bundle installation, on whatever application server (tomcat, jboss, websphere), i.e. http://myliferayserver/portal
      2) Create an HTML file like this, named liferay.html, putting the Liferay portal URL in the field marked with XXXX, i.e. http://myliferayserver/portal :
      <!DOCTYPE html>
      <html>
      <body>
      <iframe src="XXXXXXXXXXXXXXXXXXX" height="1024" width="1280">
      <p>Your browser does not support iframes.</p>
      </iframe>
      </body>
      </html>
      3) Put this HTML file in any webserver (apache, nginx), and note the resulting URL, i.e. http://myhtmlserver/liferay.html
      4) Access the URL using any browser, i.e. http://myhtmlserver/liferay.html
      5) You will see then the liferay portal, embedded as an iframe.

        Attachments

          Activity

            People

            • Assignee:
              tomas.polesovsky Tomas Polesovsky (topolik)
              Reporter:
              ira.chui Ira Chui
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                6.1.20 EE GA2