A user with privileges to edit FreeMarker or Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Liferay.
Note: The follwing sandbox escape techniques have been tested on Liferay Portal WebContent templates and Liferay Portal Dynamic Data List Display templates, but it should work on other FreeMarker/Velocity templates used across all Liferay products (eg: DXP, Commerce, etc.)
Liferay Portal CE
Liferay Portal CE, version 7.3 GA1
Server-Side Template Injection (FreeMarker)
Even though Liferay does a good job extending the FreeMarker sandbox with a custom ObjectWrapper (
com.liferay.portal.template.freemarker.internal.RestrictedLiferayObjectWrapper.java) which enhances which objects can be accessed from a Template, and also disables insecure defaults such as the
?new built-in to prevent instantiation of arbitrary classes, it stills exposes a number of objects through the Templating API that can be used to circumvent the sandbox and achieve remote code execution.
Deep inspection of the exposed objects’ object graph allows an attacker to get access to objects that allow them to instantiate arbitrary Java objects.
Server-Side Template Injection (Velocity)
Liferay also uses Velocity templates for Dynamic Data Lists Display. We can use similar vectors on Velocity templates.
This issue may lead to
Remote Code Execution.
Coordinated Disclosure Timeline
This report was subject to the GHSL coordinated disclosure policy.
- 03/23/2020: Sent report to email@example.com
- 03/25/2020: Issue is acknowledged
- 05/27/2020: Fix is released as part of Liferay Portal 7.3.2
This issue was discovered and reported by GHSL team member @pwntester (Alvaro Munoz).
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2020-043 in any communication regarding this issue.