CVE-2016-6517
📋 TL;DR
CVE-2016-6517 is a directory traversal vulnerability in Liferay Portal 5.1.0 that allows remote attackers to access files outside the intended directory by using URL-encoded dot-dot sequences (%2E%2E) in the minifierBundleDir parameter. This affects all Liferay 5.1.0 installations with the vulnerable barebone.jsp endpoint accessible. Attackers could potentially read sensitive files or execute arbitrary code depending on server configuration.
💻 Affected Systems
- Liferay Portal
📦 What is this software?
Liferay by Liferay
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or lateral movement within the network.
Likely Case
Unauthorized file read access to sensitive configuration files, source code, or credentials stored on the server.
If Mitigated
Limited impact with proper file system permissions and network segmentation preventing access to critical files.
🎯 Exploit Status
Exploitation requires only a crafted HTTP request with URL-encoded directory traversal sequences. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.1.1 and later
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jj3Q6sXBkVlO/content/cve-2016-6517-directory-traversal
Restart Required: Yes
Instructions:
1. Upgrade Liferay Portal to version 5.1.1 or later. 2. Apply the patch from Liferay's security advisory. 3. Restart the Liferay service. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Block access to barebone.jsp
allUse web server configuration to block or restrict access to the vulnerable barebone.jsp endpoint.
# Apache: RewriteRule ^/barebone\.jsp - [F,L]
# Nginx: location ~ /barebone\.jsp { deny all; }
Input validation filter
allImplement a servlet filter to sanitize and reject requests containing directory traversal sequences.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Liferay instance.
- Apply principle of least privilege to file system permissions for the Liferay user account.
🔍 How to Verify
Check if Vulnerable:
Test by sending a GET request to /barebone.jsp with minifierBundleDir parameter containing %2E%2E sequences and observing if it returns files outside the web root.Check Version:
Check Liferay version in Control Panel → Server Administration → Properties or examine liferay-portal.xmlVerify Fix Applied:
After patching, repeat the vulnerability test and confirm it returns an error or sanitized response instead of file contents.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to barebone.jsp with %2E%2E or similar encoded sequences in parameters
- Unusual file access patterns from Liferay process
Network Indicators:
- HTTP requests with URL-encoded directory traversal patterns
- Traffic to barebone.jsp endpoint from unexpected sources
SIEM Query:
http.url:"*barebone.jsp*" AND (http.param:"*%2E%2E*" OR http.param:"*..*")🔗 References
- http://www.openwall.com/lists/oss-security/2016/08/01/5
- http://www.openwall.com/lists/oss-security/2016/08/02/1
- http://www.securityfocus.com/bid/92215
- http://www.openwall.com/lists/oss-security/2016/08/01/5
- http://www.openwall.com/lists/oss-security/2016/08/02/1
- http://www.securityfocus.com/bid/92215
