Liferay 1: Did you know that probably anyone could view many portlets in your system?

19 February 2018

The vulnerability in this article has been corrected in the Liferay's current, latest version. We consider it extremely important to keep the used system up-to-date. The following article shows an example of a vulnerability in an outdated Liferay version.

Liferay's digital experience platform is one of the most popular portal systems used by thousands of enterprises. Banks, insurance companies, governmental institutions base their internal and customer portals on Liferay. We have extensive experiences with Liferay development and Liferay security hardening. I want to share with you some typical vulnerabilities we found in several running installations. I hope it will help to strengthen your systems and secure the data of your customers. Contact the Liferay rescue team for deeper assistance.

Add portlet to page

Level of security risk: Medium

Details:
Any user with guest role (unauthenticated user) has the permission to add portlets to page, for example you can add the Asset Publisher to a page as detailed below.
More details:
https://web.liferay.com/community/forums/-/message_boards/message/89552290

Risk:
A user could access information, that is sensitive or obsolete. No login is necessary to exploit this vulnerability.

Proof of concept:
Open the following link in a browser:
http://[redacted]/?p_p_id=101&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view

1. The vulnerability is present even if you have no permission to view the portlet by default, as seen below:

2. But if you visit the provided link, you access the content of the portlet: