Liferay Portal and DXP Staging Site Data Exfiltration Vulnerability

A vulnerability exists in Liferay Portal versions 7.4.0 to 7.4.3.105, older unsupported versions, and Liferay DXP versions 2023.Q4.0, 2023.Q3.1 to 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions. The issue arises in the remote staging feature, which fails to correctly retrieve the live site's remote address from the database. This flaw enables remote authenticated users to exfiltrate data to an attacker-controlled server, masquerading as a 'live site', using the '_com_liferay_exportimport_web_portlet_ExportImportPortlet_remoteAddress' and '_com_liferay_exportimport_web_portlet_ExportImportPortlet_remotePort' parameters. To exploit this vulnerability, an attacker must obtain the staging server's shared secret and add the attacker-controlled server to the staging server's whitelist.

Impact

Successful exploitation allows for unauthorized data exfiltration from the staging site to an attacker-controlled server.

Remediation

Users can upgrade to Liferay Portal 7.4.3.106 or Liferay DXP versions 2024.Q1.1, 2023.Q4.1, 2023.Q3.5, or 7.3 U36.