Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-99122

NPE throws when visiting malicious URL

    XMLWordPrintable

    Details

      Description

      Steps to reproduce:

      1. Visit the following malicious URL
        1. http://localhost:8080/group/control_panel/manage?p_p_id=132&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_132_struts_action=%2Fplugins_admin%2Fedit_plugin&_132_pluginId=116&_132_pluginType=portlet&_132_title=Activities&_132_moduleId=%3Cscript%3Ealert(%22xss%22);%3C/script%3E
        2. http://localhost:8080/group/control_panel/manage?p_p_id=132&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_132_struts_action=%2Fplugins_admin%2Fedit_plugin&_132_pluginId=116&_132_pluginType=portlet&_132_title=Activities&_132_moduleId=%3Cscript%3Ealert(%22xss%22);%3C/script%3E&_2_backURL=%22%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E
        3. http://localhost:8080/group/control_panel/manage?p_p_id=132&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_132_struts_action=%2Fplugins_admin%2Fedit_plugin&_132_pluginId=116&_132_pluginType=portlet&_132_title=Activities&_132_moduleId=%3Cscript%3Ealert(%22xss%22);%3C/script%3E&_2_backURL=alert%28%27xss%27%29

      Expected Result: This portlet could not be found. Please redeploy it or remove it from the page. message displays and no error throws.

      Actual Result: This portlet could not be found. Please redeploy it or remove it from the page. message dislays but NPE throws and details as following

      2019-08-01 03:09:15.516 ERROR [http-nio-8080-exec-2][IncludeTag:128] Current URL /group/control_panel/manage?p_p_id=132&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_132_struts_action=%2Fplugins_admin%2Fedit_plugin&_132_pluginId=116&_132_pluginType=portlet&_132_title=Activities&_132_moduleId=%3Cscript%3Ealert(%22xss%22);%3C/script%3E&_2_backURL=%22%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E generates exception: null
java.lang.NullPointerException
        at com.liferay.portal.model.impl.PortletImpl.getControlPanelEntryInstance(PortletImpl.java:772)
        at com.liferay.portal.service.permission.PortletPermissionImpl.hasControlPanelAccessPermission(PortletPermissionImpl.java:538)
        at com.liferay.portal.kernel.service.permission.PortletPermissionUtil.hasControlPanelAccessPermission(PortletPermissionUtil.java:311)
        at com.liferay.layout.type.controller.control.panel.internal.model.ControlPanelLayoutTypeAccessPolicy.checkAccessAllowedToPortlet(ControlPanelLayoutTypeAccessPolicy.java:58)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at com.liferay.portal.servlet.DirectRequestDispatcher.include(DirectRequestDispatcher.java:64)
        at com.liferay.portal.servlet.DirectRequestDispatcherFactoryImpl$IndirectRequestDispatcher.include(DirectRequestDispatcherFactoryImpl.java:199)
        at com.liferay.portal.servlet.ClassLoaderRequestDispatcherWrapper.doDispatch(ClassLoaderRequestDispatcherWrapper.java:79)
        at com.liferay.portal.servlet.ClassLoaderRequestDispatcherWrapper.include(ClassLoaderRequestDispatcherWrapper.java:53)
        at com.liferay.taglib.util.IncludeTag.includePage(IncludeTag.java:398)
        at com.liferay.taglib.util.IncludeTag.include(IncludeTag.java:374)
        at com.liferay.taglib.util.IncludeTag.doInclude(IncludeTag.java:217)
        at com.liferay.taglib.util.IncludeTag.doEndTag(IncludeTag.java:88)
        at freemarker.ext.jsp.TagTransformModel$TagWriter.endEvaluation(TagTransformModel.java:400)
        at freemarker.ext.jsp.TagTransformModel$TagWriter.afterBody(TagTransformModel.java:388)
        at freemarker.core.Environment.visitAndTransform(Environment.java:427)
        at freemarker.core.UnifiedCall.accept(UnifiedCall.java:107)
        at freemarker.core.Environment.visit(Environment.java:324)
        at freemarker.core.MixedContent.accept(MixedContent.java:54)

        Attachments

          Issue Links

          is caused by

          Regression Bug - Used by Liferay QA to indicate an issue discovered during regression testing LPS-98789 IllegalStateException is thrown when accessing a page with a WAB using Spring MVC and while simultaneously re-deploying the same WAB (cont.)

          • Closed

            Activity

              People

              Assignee:
              linda.sui Linda Sui
              Reporter:
              linda.sui Linda Sui
              Participants of an Issue:
              Recent user:
              Jason Pince
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                2 years, 6 weeks, 4 days ago

                  Packages

                  Version Package
                  7.0.0 DXP FP87
                  7.0.10.12 DXP SP12
                  7.0.X
                  7.1.10 DXP FP13
                  7.1.X
                  7.2.10 DXP FP2
                  7.2.10.1 DXP SP1
                  7.2.1 CE GA2
                  7.2.X
                  7.3.10 DXP GA1
                  Master