留言板

  1. 主页
  2. Portal
  3. Cross Site Request Forgery attack

Cross Site Request Forgery attack

Naga Raju Ede,修改在14 年前。

Cross Site Request Forgery attack

New Member 帖子: 4 加入日期: 09-9-7 最近的帖子
It was observed that portlets are vulnerable to “Cross Site Request Forgery” attack. its allowing an userto perform any activity through application without knowledge of application user. This is with liferay version 4.2.1.

How to simulate

1)Login to liferay portal
2)Access the enterprise admin portlet
3)Take the URL of the application which requires user action to create a user.
4)Build a dummy html page referencing the url address same as in step 3 for posting / submitting a form with user details as params while posting the web request.
5)login into the application with valid application user credentials

6)Access the crafted HTML page through an email as attachment ..while opening the attachment itslef.. the user would be created ..with details mentioned in step 4

Please let me know how to come out of this problem.
thumbnail
sibi thomas,修改在12 年前。

RE: Cross Site Request Forgery attack

Junior Member 帖子: 43 加入日期: 08-5-30 最近的帖子
Hi Naga,

have youfound any solution for CSRF. I am aslo having the same kind of problem.. if someone resolve this error. plz share with me.

Regards
Sibi
thumbnail
Amos Fong,修改在12 年前。

RE: Cross Site Request Forgery attack

Liferay Legend 帖子: 2047 加入日期: 08-10-7 最近的帖子
Hi,

This should be fixed in the latest version. Here is the ticket: http://issues.liferay.com/browse/LPS-8399
Susmitha Lalam,修改在10 年前。

RE: Cross Site Request Forgery attack

New Member 发布: 1 加入日期: 14-1-9 最近的帖子
It was observed that portlets are vulnerable to “Cross Site Request Forgery” attack in Liferay version 4.2.1. Please let us know whether any fix is available for the version 4.2.1.
thumbnail
James Falkner,修改在10 年前。

RE: Cross Site Request Forgery attack

Liferay Legend 帖子: 1399 加入日期: 10-9-17 最近的帖子
Susmitha Lalam:
It was observed that portlets are vulnerable to “Cross Site Request Forgery” attack in Liferay version 4.2.1. Please let us know whether any fix is available for the version 4.2.1.


Hey Susmitha, welcome to the community!

Unfortunately Liferay 4.2.1 is 7 years old and no longer actively maintained. I would highly recommend looking into upgrading to a newer release, where many if not all of the CRSF bugs you've encountered are fixed.