Foren

  1. Startseite
  2. General
  3. Liferay Security Notification LPS-8374

Liferay Security Notification LPS-8374

thumbnail
Alice Cheng, geändert vor 14 Jahren.

Liferay Security Notification LPS-8374

New Member Beiträge: 16 Beitrittsdatum: 16.08.06 Neueste Beiträge
Security Notification:
The following issue may compromise the security of your Liferay Portal CE implementation. This notification provides issue numbers, recommended workaround and directions to access the latest jars/patch to repair this issue. Users are advised to patch their applications ASAP.

Enterprise customers should have received an earlier Security Alert with instructions on how to download and install the security patch. If you are a customer and did not receive a notification but would like to, please contact enterprise_edition@liferay.com. For more immediate notification, contact our sales on how to become a subscriber.

Description
For versions Liferay 5.1 CE and 5.2 CE, secure web pages are susceptible to possible access with guest permissions by using a specific URL.

Issue Number
- Issue(s): LPS-8374
http://issues.liferay.com/browse/LPS-8374

Workaround
- None

Fix Version(s)
- 5.1CE, 5.2 CE

Source:
- Available at: http://issues.liferay.com/browse/LPS-8374


For additional information on the professionally supported EE version:
- Please contact sales@liferay.com.
thumbnail
Denis Signoretto, geändert vor 14 Jahren.

RE: Liferay Security Notification LPS-8374

Expert Beiträge: 375 Beitrittsdatum: 21.04.09 Neueste Beiträge
Hi Alice,

the issue page http://issues.liferay.com/browse/LPS-8374 report:


Component/s: Permissions
Affects Version/s: 6.0.0 Preview, 5.2.3, 5.1.2
Fix Version/s: 6.0.X RC - SP, 6.0.1 RC


while you wrote:


Fix Version(s)
- 5.1CE, 5.2 CE


CE Edition seams to fix the problema only in 6.0 version.
Did you mean EE instead of CE?

Thanks,
Denis.
thumbnail
Shagul Khaja, geändert vor 14 Jahren.

RE: Liferay Security Notification LPS-8374

Liferay Master Beiträge: 758 Beitrittsdatum: 27.09.07 Neueste Beiträge
There is source attachment for 5.1.2 and 5.2.3 in the JIRA ticket. May be Alice is referring to that.
thumbnail
Corné A, geändert vor 14 Jahren.

RE: Liferay Security Notification LPS-8374

Liferay Legend Beiträge: 1313 Beitrittsdatum: 03.10.06 Neueste Beiträge
For those interested in a compiled java 1.5 class of the PortletRequestProcessor;

You could place the jar on the CLASSPATH before portal-impl or most sure and simple is to extract the file to the /webapps/ROOT/WEB-INF/classes/ folder including the path
see image;


You'll see this appearing in your log;
22:16:18,510 WARN  [PortletRequestProcessor:118] Fixed Security hole http://issues.liferay.com/browse/LPS-8374



Greetings,


Note: My language switches declared with velocity in my theme don not work anymore

Anhänge:

Tarkan Corak, geändert vor 14 Jahren.

RE: Liferay Security Notification LPS-8374

Regular Member Beiträge: 141 Beitrittsdatum: 07.10.08 Neueste Beiträge
Hi,

Thanks for the patch. It works fine for the mentioned backoffice screens (document library, web content list, etc.), but not for "Edit Web Content". For guest users the Save-Buttons are disabled. Workflow, Categorization and Schedule are not visible. But they can see the content of the WYSIWYG-Editor, they can browse Structures and Templates. Same for "Add Web Content". The whole Portlet View should be unaccessible for unauthorized users!

Tarkan
thumbnail
Amos Fong, geändert vor 14 Jahren.

RE: Liferay Security Notification LPS-8374

Liferay Legend Beiträge: 2047 Beitrittsdatum: 07.10.08 Neueste Beiträge
Tarkan,

This has been recently fixed as well:
http://issues.liferay.com/browse/LPS-8465

If the web content portlet is not on the page, those screens should not be accessible.
Radu B, geändert vor 14 Jahren.

RE: Liferay Security Notification LPS-8374

New Member Beiträge: 11 Beitrittsdatum: 19.06.08 Neueste Beiträge
Hi Amos,

please help me to clarify the best way to correct this security issue (and the other dozen of them) on a 5.2.3 CE release.

Will be enough to checkout 5.2.3 trunk from SVN, recompile and redeploy the liferay-portal-5.2.3.war file on my server?

The patches for EE Edition are submitted to the CE trunk codebase, or are kept in a different repository?

Thanks!
Leo TechnoSoft, geändert vor 13 Jahren.

RE: Liferay Security Notification LPS-8374

New Member Beiträge: 6 Beitrittsdatum: 01.06.10 Neueste Beiträge
I am downloading "liferay-portal-5.2.3.war" along with sql spcripts and dependency jars from liferay website go in "download>>additional files section" or try this one http://www.liferay.com/downloads/liferay-portal/additional-files. I am trying to deploy same on my existing tomcat 5.5 setup where one more web application is running.

need more that that visit http://leosys.net/liferay-portal-development.aspx