CST-7031 Velocity/FreeMarker templates do not properly restrict variable usage

Description

In Liferay Portal 7.0 CE GA3, Velocity and FreeMarker templates does not properly restrict the use of some variables, which allow any user with permission to create a template to insert arbitrary code in any page, prevent access to the portal or access private information stored in the portal.

Workaround:

  1. Navigate to Control Panel > Configuration > System Settings > Foundation > Velocity Engine
  2. Add "staticFieldGetter" (without the quotes) to the list of Restricted variables
  3. Navigate to Control Panel > Configuration > System Settings > Foundation > FreeMarker Engine
  4. Add "staticFieldGetter" (without the quotes) to the list of Restricted variables

Severity

Severity 1

Fixed Version(s)

Acknowledgments

This issue was reported by Sergej Michel

Publication date: Mon, 07 Aug 2017 08:09:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.