CST-2022-01 Insecure defaults: auth.login.prompt.enabled

Description

The portal property, auth.login.prompt.enabled defaults to true in Liferay Portal 7.0.0 through 7.4.2 which allows attackers to enumerate and discover the existence of screen names, site names, and  pages.

Severity

Severity 2

Affected Version(s)

  • Liferay Portal 7.0.0 - 7.0.6
  • Liferay Portal 7.1.0 - 7.1.3
  • Liferay Portal 7.2.0 - 7.2.1
  • Liferay Portal 7.3.0 - 7.3.7
  • Liferay Portal 7.4.0 - 7.4.2

Fixed Version(s)

There is no fix available for Liferay Portal 7.0, 7.1 and 7.2. Instead, the following line can be added to portal-ext.properties: auth.login.prompt.enabled=false

Publication date: Mon, 24 Jan 2022 16:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.