Forums

Home » Liferay Portal » English » 2. Using Liferay » General

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Naga Raju Ede
Cross Site Request Forgery attack
September 8, 2009 6:41 AM
Answer

Naga Raju Ede

Rank: New Member

Posts: 4

Join Date: September 7, 2009

Recent Posts

It was observed that portlets are vulnerable to “Cross Site Request Forgery” attack. its allowing an userto perform any activity through application without knowledge of application user. This is with liferay version 4.2.1.

How to simulate

1)Login to liferay portal
2)Access the enterprise admin portlet
3)Take the URL of the application which requires user action to create a user.
4)Build a dummy html page referencing the url address same as in step 3 for posting / submitting a form with user details as params while posting the web request.
5)login into the application with valid application user credentials

6)Access the crafted HTML page through an email as attachment ..while opening the attachment itslef.. the user would be created ..with details mentioned in step 4

Please let me know how to come out of this problem.
sibi thomas
RE: Cross Site Request Forgery attack
June 22, 2011 10:40 PM
Answer

sibi thomas

Rank: Junior Member

Posts: 44

Join Date: May 30, 2008

Recent Posts

Hi Naga,

have youfound any solution for CSRF. I am aslo having the same kind of problem.. if someone resolve this error. plz share with me.

Regards
Sibi
Amos Fong
RE: Cross Site Request Forgery attack
June 22, 2011 11:19 PM
Answer

Amos Fong

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1844

Join Date: October 7, 2008

Recent Posts

Hi,

This should be fixed in the latest version. Here is the ticket: http://issues.liferay.com/browse/LPS-8399
Susmitha Lalam
RE: Cross Site Request Forgery attack
January 9, 2014 2:23 AM
Answer

Susmitha Lalam

Rank: New Member

Posts: 1

Join Date: January 9, 2014

Recent Posts

It was observed that portlets are vulnerable to “Cross Site Request Forgery” attack in Liferay version 4.2.1. Please let us know whether any fix is available for the version 4.2.1.
James Falkner
RE: Cross Site Request Forgery attack
January 9, 2014 4:51 AM
Answer

James Falkner

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1198

Join Date: September 17, 2010

Recent Posts

Susmitha Lalam:
It was observed that portlets are vulnerable to “Cross Site Request Forgery” attack in Liferay version 4.2.1. Please let us know whether any fix is available for the version 4.2.1.


Hey Susmitha, welcome to the community!

Unfortunately Liferay 4.2.1 is 7 years old and no longer actively maintained. I would highly recommend looking into upgrading to a newer release, where many if not all of the CRSF bugs you've encountered are fixed.