{"id":19972821,"url":"https://github.com/mbadanoiu/mal-001","last_synced_at":"2025-03-01T18:23:33.607Z","repository":{"id":215176479,"uuid":"738275950","full_name":"mbadanoiu/MAL-001","owner":"mbadanoiu","description":"MAL-001: FreeMarker Server-Side Template Injection in Liferay Portal","archived":false,"fork":false,"pushed_at":"2024-01-02T22:10:29.000Z","size":4103,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-12T09:29:30.541Z","etag":null,"topics":["0-day","authenticated","bypass","cve-2020-13445","remote-code-execution","server-side-template-injection"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mbadanoiu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-02T21:16:32.000Z","updated_at":"2024-01-05T00:27:43.000Z","dependencies_parsed_at":null,"dependency_job_id":"eede5d27-dd10-4072-8b5c-5ddc0b73522a","html_url":"https://github.com/mbadanoiu/MAL-001","commit_stats":null,"previous_names":["mbadanoiu/mal-001"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbadanoiu%2FMAL-001","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbadanoiu%2FMAL-001/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbadanoiu%2FMAL-001/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mbadanoiu%2FMAL-001/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mbadanoiu","download_url":"https://codeload.github.com/mbadanoiu/MAL-001/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241405600,"owners_count":19957859,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["0-day","authenticated","bypass","cve-2020-13445","remote-code-execution","server-side-template-injection"],"created_at":"2024-11-13T03:09:18.794Z","updated_at":"2025-03-01T18:23:33.585Z","avatar_url":"https://github.com/mbadanoiu.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# MAL-001: FreeMarker Server-Side Template Injection in Liferay Portal\n\nAn issue was discovered in Liferay - Portal \u003c=7.4.3.12-ga12. By inserting malicious content in the FTL Templates, an attacker may perform SSTI (Server-Side Template Injection) attacks, which can leverage FreeMarker exposed objects to bypass restrictions and perform SSRF (Server-Side Request Forgery), read arbitrary files and/or obtain RCE (Remote Code Execution).\n\n\u003cstrong\u003eNote:\u003c/strong\u003e This issue exists because of an incomplete fix for CVE-2020-13445.\n\n### Why no CVE?\n\n[Liferay](https://www.cve.org/PartnerInformation/ListofPartners/partner/Liferay) is part of the [MITRE CNAs](https://www.cve.org/ProgramOrganization/CNAs) program and have decided that, because of the user privileges required to exploit the SSTI, the vulnerability does not represent a high enough risk to warant a CVE or a security advisory.\n\n### Requirements:\n\nThis vulnerability requires:\n\u003cbr/\u003e\n- Valid user credentials with the role \"Power User\", \"Site Administrator\" or \"Site Owner\"\n\n### Proof Of Concept:\n\nMore details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/MAL-001/blob/main/Liferay%20-%20MAL-001.pdf).\n\n### Additional Resources:\n\nInitial [vulnerability (CVE-2020-13445)](https://nvd.nist.gov/vuln/detail/CVE-2020-13445) and [blogpost](https://securitylab.github.com/advisories/GHSL-2020-043-liferay_ce/) by [Alvaro \"pwntester\" Munoz](https://github.com/pwntester) that inspired the SSTI research and finding of this vulnerability.\n\nHSQL RCE vector was inspired by the blogpost [\"Remote Code Execution in F5 Big‑IP\" by Mikhail Klyuchnikov](https://swarm.ptsecurity.com/rce-in-f5-big-ip/).\n\n### Timeline:\n\n- This vulnerability was initially reported to security@liferay.com on 26-Feb-2022\n- Vulnerability was considered a non-issue as \"permission to edit templates should only be granted to trusted users\"\n- Retested the vulnerability on 18-Jan-2023 and noticed that:\n  - The Arbitrary File Read and SSRF vectors have been patched\n  - The RCE had been remediated by the HSQL patch for CVE-2022-41853\n- Publically disclosed the vulnerability on 03-Jan-2024\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmbadanoiu%2Fmal-001","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmbadanoiu%2Fmal-001","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmbadanoiu%2Fmal-001/lists"}