掲示板

  1. ホーム
  2. General
  3. Liferay Security Notification LPS-8374

Liferay Security Notification LPS-8374

thumbnail
14年前 に Alice Cheng によって更新されました。

Liferay Security Notification LPS-8374

New Member 投稿: 16 参加年月日: 06/08/16 最新の投稿
Security Notification:
The following issue may compromise the security of your Liferay Portal CE implementation. This notification provides issue numbers, recommended workaround and directions to access the latest jars/patch to repair this issue. Users are advised to patch their applications ASAP.

Enterprise customers should have received an earlier Security Alert with instructions on how to download and install the security patch. If you are a customer and did not receive a notification but would like to, please contact enterprise_edition@liferay.com. For more immediate notification, contact our sales on how to become a subscriber.

Description
For versions Liferay 5.1 CE and 5.2 CE, secure web pages are susceptible to possible access with guest permissions by using a specific URL.

Issue Number
- Issue(s): LPS-8374
http://issues.liferay.com/browse/LPS-8374

Workaround
- None

Fix Version(s)
- 5.1CE, 5.2 CE

Source:
- Available at: http://issues.liferay.com/browse/LPS-8374


For additional information on the professionally supported EE version:
- Please contact sales@liferay.com.
thumbnail
14年前 に Denis Signoretto によって更新されました。

RE: Liferay Security Notification LPS-8374

Expert 投稿: 375 参加年月日: 09/04/21 最新の投稿
Hi Alice,

the issue page http://issues.liferay.com/browse/LPS-8374 report:


Component/s: Permissions
Affects Version/s: 6.0.0 Preview, 5.2.3, 5.1.2
Fix Version/s: 6.0.X RC - SP, 6.0.1 RC


while you wrote:


Fix Version(s)
- 5.1CE, 5.2 CE


CE Edition seams to fix the problema only in 6.0 version.
Did you mean EE instead of CE?

Thanks,
Denis.
thumbnail
14年前 に Shagul Khaja によって更新されました。

RE: Liferay Security Notification LPS-8374

Liferay Master 投稿: 758 参加年月日: 07/09/27 最新の投稿
There is source attachment for 5.1.2 and 5.2.3 in the JIRA ticket. May be Alice is referring to that.
thumbnail
14年前 に Corné A によって更新されました。

RE: Liferay Security Notification LPS-8374

Liferay Legend 投稿: 1313 参加年月日: 06/10/03 最新の投稿
For those interested in a compiled java 1.5 class of the PortletRequestProcessor;

You could place the jar on the CLASSPATH before portal-impl or most sure and simple is to extract the file to the /webapps/ROOT/WEB-INF/classes/ folder including the path
see image;


You'll see this appearing in your log;
22:16:18,510 WARN  [PortletRequestProcessor:118] Fixed Security hole http://issues.liferay.com/browse/LPS-8374



Greetings,


Note: My language switches declared with velocity in my theme don not work anymore

添付ファイル:

14年前 に Tarkan Corak によって更新されました。

RE: Liferay Security Notification LPS-8374

Regular Member 投稿: 141 参加年月日: 08/10/07 最新の投稿
Hi,

Thanks for the patch. It works fine for the mentioned backoffice screens (document library, web content list, etc.), but not for "Edit Web Content". For guest users the Save-Buttons are disabled. Workflow, Categorization and Schedule are not visible. But they can see the content of the WYSIWYG-Editor, they can browse Structures and Templates. Same for "Add Web Content". The whole Portlet View should be unaccessible for unauthorized users!

Tarkan
thumbnail
14年前 に Amos Fong によって更新されました。

RE: Liferay Security Notification LPS-8374

Liferay Legend 投稿: 2047 参加年月日: 08/10/07 最新の投稿
Tarkan,

This has been recently fixed as well:
http://issues.liferay.com/browse/LPS-8465

If the web content portlet is not on the page, those screens should not be accessible.
13年前 に Radu B によって更新されました。

RE: Liferay Security Notification LPS-8374

New Member 投稿: 11 参加年月日: 08/06/19 最新の投稿
Hi Amos,

please help me to clarify the best way to correct this security issue (and the other dozen of them) on a 5.2.3 CE release.

Will be enough to checkout 5.2.3 trunk from SVN, recompile and redeploy the liferay-portal-5.2.3.war file on my server?

The patches for EE Edition are submitted to the CE trunk codebase, or are kept in a different repository?

Thanks!
13年前 に Leo TechnoSoft によって更新されました。

RE: Liferay Security Notification LPS-8374

New Member 投稿: 6 参加年月日: 10/06/01 最新の投稿
I am downloading "liferay-portal-5.2.3.war" along with sql spcripts and dependency jars from liferay website go in "download>>additional files section" or try this one http://www.liferay.com/downloads/liferay-portal/additional-files. I am trying to deploy same on my existing tomcat 5.5 setup where one more web application is running.

need more that that visit http://leosys.net/liferay-portal-development.aspx