Liferay Portal 6.1.0 / 6.1.10 Arbitrary File Deletion

medium Nessus Plugin ID 62926

Synopsis

The remote host is affected by a file deletion vulnerability.

Description

According to its self-reported version, the installation of Liferay Portal hosted on the remote web server is affected by an arbitrary file deletion vulnerability. A user who has permission to delete an attachment in the Wiki portlet can delete any arbitrary file on the server.

Note that Nessus has not tested for this issue or checked if a workaround has been applied but has instead relied only on its self-reported version number.

Solution

Upgrade to Liferay Portal 6.1.1 / 6.1.20 or later.

See Also

https://issues.liferay.com/browse/LPS-28934

http://www.nessus.org/u?66af3563

Plugin Details

Severity: Medium

ID: 62926

File Name: liferay_lps28934_file_deletion.nasl

Version: 1.9

Type: remote

Family: CGI abuses

Published: 11/15/2012

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P

Vulnerability Information

CPE: cpe:/a:liferay:portal

Required KB Items: www/liferay_portal

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/30/2012

Vulnerability Publication Date: 7/30/2012

Reference Information

BID: 55573