Description
In Liferay Portal 7.0.5 and earlier, the Web Proxy portlet/application allows remote attackers to execute arbitrary code via supplied stylesheet.
Patched versions of the portal will prevent users without the administrator role from adding the Web Proxy application to a page by default only in new installations. For existing installations, please refer to the workaround section below.
Workaround:
Portal administrators should review users with permission to add and configure the Web Proxy portlet/application. Permission to configure Web Proxy should be removed from any user who is not trusted.
- Navigate to Control Panel > Configuration > Components > Portlets
- Locate and click on "Web Proxy"
- Locate the "Permissions" section
- Click on "Change" and remove the "Add to Page" permission from any role with users who are not trusted.
In most installations of Liferay DXP/Liferay Portal, the "Add to Page" permission should only be given to users with the "Administrator" role.
Severity
Severity 1
Fixed Version(s)
- Liferay Portal 7.0.6
- March 2020 source patch for Liferay Portal 6.2.5. Details for working with source patches can be found on the Patching Liferay Portal page.
Publication date: Tue, 29 May 2018 04:00:00 +0000