Journal portlet (15) security question

Forums de discussion

Julian Gonzalez, modifié il y a 7 années.

Journal portlet (15) security question

New Member Publications: 3 Date d'inscription: 20/01/16 Publications récentes

I have a Liferay 6.2-CE-GA6 site that is being flagged for a security vulnerability due to the following URL (liferay.com seems to have the same issue)

https://www.liferay.com/web/guest/home?p_p_id=15&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&saveLastPath=0

This URL allows a non logged-in user (guest) to access the journal portlet (webcontent) view without being logged in.

I was looking through previous discussions on these topics but they all applied to older versions of liferay. I also tried using the "portlet.add.default.resource.check.enabled" setting but it does not seem to prevent access to guests for the Journal.

Is there a setting somewhere I missed in the control panel? Or another property setting?

Thanks.

Tomas Polesovsky, modifié il y a 7 années.

RE: Journal portlet (15) security question

Liferay Master Publications: 676 Date d'inscription: 13/02/09 Publications récentes

Hi Julian,

thank you for heads up.

Please have you tried to remove "embedded" portlets from the page? You can find it in the page edit screen, there should be a table with all portlets that are/was "embedded". If you clear this table, it should fix your issue. I guess you inherited it from the upgrade?

Thanks. Please let me know if it helped!

Best

-- tom

Julian Gonzalez, modifié il y a 7 années.

RE: Journal portlet (15) security question

New Member Publications: 3 Date d'inscription: 20/01/16 Publications récentes

Hello Tomas,

Can you specify which "page edit" screen you're referring to? The gear icon on the top right (configuration) of the web-content screen only has settings for pagination, email and web review.

This was a clean install of 6.2-CE(Tomcat)