Clarification on recent SSRF vulnerability report

This is in response to the recent public announcement of a potential Server-Side Request Forgery (SSRF) vulnerability in Liferay Portal 7.0.4

The report appeared recently on various security related sites and it is being "promoted" via social media networks such as Twitter. It talks about a perceived vulnerability for the pingback functionality in the blogs functionality in the Portal product (you can find a detailed description of blog pingbacks on Wikipedia).

As the report itself provides very little information about the perceived vulnerability and basically no information about the potential impact area and the related risks, we feel we need to make those clear.

First, this perceived vulnerability only applies to the blogs pingback functionality.  It does not indicate a XML-RPC vulnerability in any other area of the Liferay Portal product. Liferay Portal has an explicit registry of allowed methods that can be executed thru the /xmlrpc end point.  Out of the box, the only possible command to be executed thru this channel is the blogs pingback capability.  There is no way for users to perform arbitrary remote code executions. The vulnerability relies on the fact that an URL may be attached to a comment that is added when a pingback request is processed .

Second, blog pingbacks explicitly allows for anonymous users to add comments to blogs.  If you do not desire this capability for your blog, there is a setting in portal.properties that explicitly disables pingbacks.  Specifically, set the value of blogs.pingback.enabled=false in your portal-ext.properties.

We are currently working on a final resolution but the work around mentioned above will prevent the vulnerability from being exploited.

Blogs

Hi Milen, you have an extraneous "s" in your property

 

blogs.pingbacks.enabled=false

should be 

blogs.pingback.enabled=false

 

http://docs.liferay.com/portal/7.0-latest/propertiesdoc/portal.properties.html#Blogs%20Portlet