Skip to content

MAL-001: FreeMarker Server-Side Template Injection in Liferay Portal

Notifications You must be signed in to change notification settings

mbadanoiu/MAL-001

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 

Repository files navigation

MAL-001: FreeMarker Server-Side Template Injection in Liferay Portal

An issue was discovered in Liferay - Portal <=7.4.3.12-ga12. By inserting malicious content in the FTL Templates, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and perform SSRF (Server-Side Request Forgery), read arbitrary files and/or obtain RCE (Remote Code Execution).

Note: This issue exists because of an incomplete fix for CVE-2020-13445.

Why no CVE?

Liferay is part of the MITRE CNAs program and have decided that, because of the user privileges required to exploit the SSTI, the vulnerability does not represent a high enough risk to warant a CVE or a security advisory.

Requirements:

This vulnerability requires:

  • Valid user credentials with the role "Power User", "Site Administrator" or "Site Owner"

Proof Of Concept:

More details and the exploitation process can be found in this PDF.

Additional Resources:

Initial vulnerability (CVE-2020-13445) and blogpost by Alvaro "pwntester" Munoz that inspired the SSTI research and finding of this vulnerability.

HSQL RCE vector was inspired by the blogpost "Remote Code Execution in F5 Big‑IP" by Mikhail Klyuchnikov.

Timeline:

  • This vulnerability was initially reported to security@liferay.com on 26-Feb-2022
  • Vulnerability was considered a non-issue as "permission to edit templates should only be granted to trusted users"
  • Retested the vulnerability on 18-Jan-2023 and noticed that:
    • The Arbitrary File Read and SSRF vectors have been patched
    • The RCE had been remediated by the HSQL patch for CVE-2022-41853
  • Publically disclosed the vulnerability on 03-Jan-2024