CVE-2021-33990 - **DISPUTED** File Upload Flaw in Liferay Portal 6.2.5

There's been a unique debate in the security world about CVE-2021-33990. If you use Liferay Portal 6.2.5, you might have seen talk that this flaw makes it possible for someone to upload files through a special web request. Some posts claim all it takes is sending a Command=FileUpload&Type=File&CurrentFolder=/ request—if the frmfolders.html file is in place, you're open to attack.

But is it real? Can attackers truly upload files this way? Or is this a misunderstanding? Let's go through the details, see the code, review references, and decide what this "vulnerability" actually means.

What Is Liferay Portal?

Before we break things down, it helps to know what Liferay Portal is. In simple terms, Liferay is an open-source portal and content management system (CMS) used by companies to create internal and external websites. It's written in Java and is widely used for its flexibility.

This CVE (Common Vulnerabilities and Exposures) entry warns that

> Liferay Portal 6.2.5 allows Command=FileUpload&Type=File&CurrentFolder=/ requests when frmfolders.html exists.

This sounds scary. If true, anyone could upload a malicious file just by accessing a certain HTML page and crafting a sneaky request.

Where Did the Claim Start?

The report comes from the MITRE CVE listing (source), referencing this Chinese security article:

- https://www.cnvd.org.cn/flaw/show/CNVD-2021-33203

Security researchers making the claim reference the presence of frmfolders.html. Their reasoning: if this file exists, posting Command=FileUpload might work.

The main idea is that you could POST data to

http(s)://<server>/html/portlet/file_manager/filemanager/connectors/upload_connector.jsp?Command=FileUpload&Type=File&CurrentFolder=/

along with a file, *if* the HTML file at /html/portlet/file_manager/filemanager/frmfolders.html is present.

Here is a classic code snippet demonstrating the POST request attackers might try in tools like Burp Suite or cURL:

POST /html/portlet/file_manager/filemanager/connectors/upload_connector.jsp?Command=FileUpload&Type=File&CurrentFolder=/ HTTP/1.1
Host: liferay-victim.com
Content-Type: multipart/form-data; boundary=---------------------------9051914041544843365972754266
Content-Length: (calculated)

-----------------------------9051914041544843365972754266
Content-Disposition: form-data; name="NewFile"; filename="shell.jsp"
Content-Type: application/octet-stream

<contents of shell.jsp>
-----------------------------9051914041544843365972754266--

The hope: Liferay accepts the file, puts it in the root folder, and now you have a web shell.

References and Links

- Original MITRE CVE Entry
- CNVD-2021-33203 (in Chinese)
- Liferay JIRA - Security Issues
- Github security-advisories/issues

Here's the catch—it is DISPUTED.

Liferay reviewed the claim (source) and responded:

> "...the exploit reference link only shows frmfolders.html is accessible and does not demonstrate how an unauthorized user can upload a file."

Let's simplify:

The URL and upload logic are protected by authentication.

- Without being a logged-in, authorized user with necessary permissions, the system rejects the file upload attempt.

Let's Test and Dissect

If you're a developer or security engineer, you can try this for yourself. Spin up Liferay Portal 6.2.5, and see:

Example: Testing with Curl

curl -v -X POST "https://your-liferay-site.com/html/portlet/file_manager/filemanager/connectors/upload_connector.jsp?Command=FileUpload&Type=File&CurrentFolder=/"; \
     -F "NewFile=@shell.jsp"

Likely response:

HTTP/1.1 401 Unauthorized

HTTP/1.1 302 Found
Location: /c/portal/login

or
A redirect to a login page.

Why the Confusion?

- Some older CMS and file manager plugins did have buggy upload logic: Simply hitting the URL with the right parameters *was* enough to upload files, even if you weren't logged in.
- Researchers look for HTML files like frmfolders.html as a *hint* such a plugin is present, then try the generic approach to see if it’s vulnerable.

Summary

- CVE-2021-33990 is marked as “DISPUTED”. There is currently no public proof anyone can exploit this on a vanilla Liferay 6.2.5 install without valid credentials.
- The file uploader is not open to the public. The presence of frmfolders.html does not create vulnerability by itself.
- If you use Liferay, keep your authentication requirements strict, and regularly check for valid advisories—not every CVE means you are at real risk.

If you want a real-world exploit, there’s no public code or evidence for an “unauthorized” exploit as of now.
The supposed risk is pretty much a misunderstanding caused by assumptions from other systems with similar file names.

Timeline

Published on: 04/16/2023 04:15:00 UTC
Last modified on: 04/26/2023 20:15:00 UTC

CVE-2021-33990 - DISPUTED File Upload Flaw in Liferay Portal 6.2.5 – Facts, Fears, and the Real Story

What Is Liferay Portal?

This CVE (Common Vulnerabilities and Exposures) entry warns that

Where Did the Claim Start?

The main idea is that you could POST data to

References and Links

Here's the catch—it is DISPUTED.

The URL and upload logic are protected by authentication.

Let's Test and Dissect

Example: Testing with Curl

Why the Confusion?

Summary

Further Reading

Timeline

What Is Liferay Portal?

This CVE (Common Vulnerabilities and Exposures) entry warns that

Where Did the Claim Start?

The main idea is that you could POST data to

References and Links

Here's the catch—it is DISPUTED.

The URL and upload logic are *protected* by authentication.

Let's Test and Dissect

Example: Testing with Curl

Why the Confusion?

Summary

Further Reading

Timeline

The URL and upload logic are protected by authentication.