Tue, 29 May 2018 04:00:00 +0000
CST-7052 Multiple CSRF vulnerability in 7.0 CE GA6
Multiple cross-site request forgery (CSRF) vulnerabilities allow remote attackers to execute unwanted actions in the portal.
Remove the following lines from the 'auth.token.ignore.actions' portal property:
/blogs/edit_entry,\ /blogs_aggregator/edit_entry,\ /document_library/edit_file_entry,\ /message_boards/edit_message,\ /portal/comment/edit_discussion,\
Removing the above paths will disable the following features:
- Blog entry drafts and Wiki page drafts will no longer be automatically saved when the user's session expires
- Unauthenticated users will no longer be able to add a message in the Message Boards or add comments in the various apps that support comments.
To keep using these features, the above paths must be re-added after upgrading to a patched version of the portal.
There is no patch available for Liferay Portal 7.0 CE GA6. Instead, users should upgrade to Liferay Portal 7.0 CE GA7 (7.0.6) or later to fix this issue.