フォーラム

ホーム » Liferay Portal » English » 9. Announcements

構造的に表示 平面上に表示 ツリー上に表示
スレッド [ 前へ | 次へ ]
toggle
Alice Cheng
Liferay Security Notification LPS-8374
2010/04/17 14:33
答え

Alice Cheng

LIFERAY STAFF

ランク: New Member

投稿: 17

参加年月日: 2006/08/16

最近の投稿

Security Notification:
The following issue may compromise the security of your Liferay Portal CE implementation. This notification provides issue numbers, recommended workaround and directions to access the latest jars/patch to repair this issue. Users are advised to patch their applications ASAP.

Enterprise customers should have received an earlier Security Alert with instructions on how to download and install the security patch. If you are a customer and did not receive a notification but would like to, please contact enterprise_edition@liferay.com. For more immediate notification, contact our sales on how to become a subscriber.

Description
For versions Liferay 5.1 CE and 5.2 CE, secure web pages are susceptible to possible access with guest permissions by using a specific URL.

Issue Number
- Issue(s): LPS-8374
http://issues.liferay.com/browse/LPS-8374

Workaround
- None

Fix Version(s)
- 5.1CE, 5.2 CE

Source:
- Available at: http://issues.liferay.com/browse/LPS-8374


For additional information on the professionally supported EE version:
- Please contact sales@liferay.com.
Denis Signoretto
RE: Liferay Security Notification LPS-8374
2010/04/14 0:18
答え

Denis Signoretto

ランク: Regular Member

投稿: 220

参加年月日: 2009/04/21

最近の投稿

Hi Alice,

the issue page http://issues.liferay.com/browse/LPS-8374 report:


Component/s: Permissions
Affects Version/s: 6.0.0 Preview, 5.2.3, 5.1.2
Fix Version/s: 6.0.X RC - SP, 6.0.1 RC


while you wrote:


Fix Version(s)
- 5.1CE, 5.2 CE


CE Edition seams to fix the problema only in 6.0 version.
Did you mean EE instead of CE?

Thanks,
Denis.
Shagul Khajamohideen
RE: Liferay Security Notification LPS-8374
2010/04/15 7:32
答え

Shagul Khajamohideen

ランク: Liferay Master

投稿: 759

参加年月日: 2007/09/27

最近の投稿

There is source attachment for 5.1.2 and 5.2.3 in the JIRA ticket. May be Alice is referring to that.
Corné Aussems
RE: Liferay Security Notification LPS-8374
2010/04/16 2:24
答え

Corné Aussems

ランク: Liferay Legend

投稿: 1284

参加年月日: 2006/10/03

最近の投稿

For those interested in a compiled java 1.5 class of the PortletRequestProcessor;

You could place the jar on the CLASSPATH before portal-impl or most sure and simple is to extract the file to the /webapps/ROOT/WEB-INF/classes/ folder including the path
see image;


You'll see this appearing in your log;
122:16:18,510 WARN  [PortletRequestProcessor:118] Fixed Security hole http://issues.liferay.com/browse/LPS-8374



Greetings,


Note: My language switches declared with velocity in my theme don not work anymore
画像の固定

添付ファイル: ScreenShot543.png (11.3k), portal-impl_LPS-8374_fix_523_JAVA15.jar (32.7k)
Tarkan Corak
RE: Liferay Security Notification LPS-8374
2010/04/21 4:07
答え

Tarkan Corak

ランク: Regular Member

投稿: 132

参加年月日: 2008/10/07

最近の投稿

Hi,

Thanks for the patch. It works fine for the mentioned backoffice screens (document library, web content list, etc.), but not for "Edit Web Content". For guest users the Save-Buttons are disabled. Workflow, Categorization and Schedule are not visible. But they can see the content of the WYSIWYG-Editor, they can browse Structures and Templates. Same for "Add Web Content". The whole Portlet View should be unaccessible for unauthorized users!

Tarkan
Amos Fong
RE: Liferay Security Notification LPS-8374
2010/04/21 11:23
答え

Amos Fong

LIFERAY STAFF

ランク: Liferay Legend

投稿: 1844

参加年月日: 2008/10/07

最近の投稿

Tarkan,

This has been recently fixed as well:
http://issues.liferay.com/browse/LPS-8465

If the web content portlet is not on the page, those screens should not be accessible.
Radu B
RE: Liferay Security Notification LPS-8374
2010/04/28 8:28
答え

Radu B

ランク: New Member

投稿: 11

参加年月日: 2008/06/19

最近の投稿

Hi Amos,

please help me to clarify the best way to correct this security issue (and the other dozen of them) on a 5.2.3 CE release.

Will be enough to checkout 5.2.3 trunk from SVN, recompile and redeploy the liferay-portal-5.2.3.war file on my server?

The patches for EE Edition are submitted to the CE trunk codebase, or are kept in a different repository?

Thanks!
Leo TechnoSoft
RE: Liferay Security Notification LPS-8374
2010/06/07 23:55
答え

Leo TechnoSoft

ランク: New Member

投稿: 6

参加年月日: 2010/06/01

最近の投稿

I am downloading "liferay-portal-5.2.3.war" along with sql spcripts and dependency jars from liferay website go in "download>>additional files section" or try this one http://www.liferay.com/downloads/liferay-portal/additional-files. I am trying to deploy same on my existing tomcat 5.5 setup where one more web application is running.

need more that that visit http://leosys.net/liferay-portal-development.aspx