1. Web server type and version disclosure.
Risk Impact
Being able to determine precise software versions might aid an attacker in mounting tailored attacks on the server.
Recommendation
It is recommended removing software versions in use from service banners.
Solution
Add the below property in portal-ext.properties
##
## HTTP Header Reponse
##
#
# Set the level of verbosity to use for the Liferay-Portal field in the HTTP
# header response. Valid values are "full", which gives all of the version
# information (e.g. Liferay Portal Community Edition 6.1.0 CE etc.) or
# "partial", which gives only the name portion (e.g. Liferay Portal
# Community Edition).
#
http.header.version.verbosity=partial
2. Auto complete is enabled
Risk Impact
Not setting ‘AutoComplete’ attribute can allow attackers to extract valid credentials of previously logged-in users from public computers or multi-user environments.
Recommendation
It is recommended to set auto complete functionality to “off” for sensitive input fields.
Solution
Add the below property in portal-ext.properties
#
# Set this to true to allow users to autocomplete the login form based on
# their previously entered values.
#
company.security.login.form.autocomplete=false
#
# Set this to true to allow users to ask the portal to send them their
# password.
#
company.security.send.password=false
3. Missing HttpOnly Attribute in Session Cookie
Risk Impact
In absence of HTTPOnly attribute in the set-cookie parameter, an attacker can exploit this vulnerability to gain information stored in cookie or can launch theft of modification attack by using malicious.
Recommendation
It is recommended enabling HTTPOnly feature for session cookies.
Solution
Add the below configuration for Tomcat {TOMCAT_HOME}\conf\context.xml file.
<Context useHttpOnly="true">
Risk Impact
Being able to determine precise software versions might aid an attacker in mounting tailored attacks on the server.
Recommendation
It is recommended removing software versions in use from service banners.
Solution
Add the below property in portal-ext.properties
##
## HTTP Header Reponse
##
#
# Set the level of verbosity to use for the Liferay-Portal field in the HTTP
# header response. Valid values are "full", which gives all of the version
# information (e.g. Liferay Portal Community Edition 6.1.0 CE etc.) or
# "partial", which gives only the name portion (e.g. Liferay Portal
# Community Edition).
#
http.header.version.verbosity=partial
2. Auto complete is enabled
Risk Impact
Not setting ‘AutoComplete’ attribute can allow attackers to extract valid credentials of previously logged-in users from public computers or multi-user environments.
Recommendation
It is recommended to set auto complete functionality to “off” for sensitive input fields.
Solution
Add the below property in portal-ext.properties
#
# Set this to true to allow users to autocomplete the login form based on
# their previously entered values.
#
company.security.login.form.autocomplete=false
#
# Set this to true to allow users to ask the portal to send them their
# password.
#
company.security.send.password=false
3. Missing HttpOnly Attribute in Session Cookie
Risk Impact
In absence of HTTPOnly attribute in the set-cookie parameter, an attacker can exploit this vulnerability to gain information stored in cookie or can launch theft of modification attack by using malicious.
Recommendation
It is recommended enabling HTTPOnly feature for session cookies.
Solution
Add the below configuration for Tomcat {TOMCAT_HOME}\conf\context.xml file.
<Context useHttpOnly="true">
