Foren

  1. Startseite
  2. Development
  3. securing 'LFR_SESSION_STATE_'

securing 'LFR_SESSION_STATE_'

Hussain Shaikh, geändert vor 7 Jahren.

securing 'LFR_SESSION_STATE_'

Junior Member Beiträge: 44 Beitrittsdatum: 07.06.12 Neueste Beiträge
Hi,

How can we avoid the following issue from penetration testing.

Issue detail
The LFR_SESSION_STATE_123 cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload ../../../../../../../../../../../../../../../../etc/passwd was submitted in the LFR_SESSION_STATE_123 cookie. The requested file was returned in the application's response.
thumbnail
Olaf Kock, geändert vor 7 Jahren.

RE: securing 'LFR_SESSION_STATE_'

Liferay Legend Beiträge: 6403 Beitrittsdatum: 23.09.08 Neueste Beiträge
Hussain Shaikh:
How can we avoid the following issue from penetration testing.


Make sure it's reproducible under the latest version (7.0 CE GA3). You didn't state the version you're using here.
If it is: File an issue or send an email. You can find Liferay's full Security Statement with all further information here.
Hussain Shaikh, geändert vor 7 Jahren.

RE: securing 'LFR_SESSION_STATE_'

Junior Member Beiträge: 44 Beitrittsdatum: 07.06.12 Neueste Beiträge
It is liferay 6.1.1 & no plan as of now to upgrade to version 7. Any workaround, please suggest.
thumbnail
Olaf Kock, geändert vor 7 Jahren.

RE: securing 'LFR_SESSION_STATE_'

Liferay Legend Beiträge: 6403 Beitrittsdatum: 23.09.08 Neueste Beiträge
Hussain Shaikh:
It is liferay 6.1.1 & no plan as of now to upgrade to version 7. Any workaround, please suggest.


  • Make it aware to the stakeholders that this is what happens when you're running on old software - have them sign off that they accept the risk
  • At least try 6.1.2 GA3, the latest available version in 6.1 - it fixed many bugs that were found in 6.1.1
  • If that all is not possible: identify the commit where a fix was introduced for a later version and backport it.
Hussain Shaikh, geändert vor 7 Jahren.

RE: securing 'LFR_SESSION_STATE_'

Junior Member Beiträge: 44 Beitrittsdatum: 07.06.12 Neueste Beiträge
Hi Olaf,

We are licensed owner of LR version 6.1.2. If I request, would I get a patch as a workaround for this issue.

Regards.
thumbnail
Olaf Kock, geändert vor 7 Jahren.

RE: securing 'LFR_SESSION_STATE_'

Liferay Legend Beiträge: 6403 Beitrittsdatum: 23.09.08 Neueste Beiträge
Hussain Shaikh:
We are licensed owner of LR version 6.1.2. If I request, would I get a patch as a workaround for this issue.


6.1.2 is Community Edition. You have licensed it from Liferay under the LGPL license - with no services assumed, e.g. you can't "request a patch" unless you're paying an external service integrator for support of this version of Liferay Portal.

If you are a customer of the Enterprise Edition, the version number is different. 6.1.x EE premium support has ended, but support - especially for security issues - is AFAIK still available. You might want to try Fixpack-66 or Service Pack 5 first though. As you stated 6.1.1 and 6.1.2, I'm assuming that you're not an Enterprise customer though