Tue, 29 May 2018 04:00:00 +0000
CST-7051 Remote code execution via Web Proxy application
The Web Proxy portlet/application allows remote attackers to execute arbitrary code via supplied stylesheet.
Patched versions of the portal will prevent users without the administrator role from adding the Web Proxy application to a page by default only in new installations. For existing installations, please refer to the workaround section below.
Portal administrators should review users with permission to add and configure the Web Proxy portlet/application. Permission to configure Web Proxy should be removed from any user who is not trusted.
- Navigate to Control Panel > Configuration > Components > Portlets
- Locate and click on "Web Proxy"
- Locate the "Permissions" section
- Click on "Change" and remove the "Add to Page" permission from any role with users who are not trusted.
In most installations of Liferay DXP/Liferay Portal, the "Add to Page" permission should only be given to users with the "Administrator" role.
There is no patch available for Liferay Portal 7.0 CE GA6. Instead, users should upgrade to Liferay Portal 7.0 CE GA7 (7.0.6) or later to fix this issue.