Information Disclosure via Liferay-Portal Header

Description

The 'Liferay-Portal' header reveals that the application is powered by Liferay, a Java-based portal and content management platform. Such disclosure can enable attackers to identify the exact portal technology and version, potentially leveraging known vulnerabilities or configuration weaknesses. Malicious actors may scan for default endpoints, admin consoles, or outdated plugins related to Liferay. In addition, exposing internal implementation details can facilitate targeted phishing and social engineering efforts. Overall, leaving this header unmasked undermines the principle of security through obscurity and increases the risk of exploitation by adversaries familiar with Liferay-specific attack vectors.

Remediation

Remove or mask the 'Liferay-Portal' header unless it is strictly necessary. Review and adjust your Liferay configuration to minimize banner or version disclosures, which may involve custom server settings or web.xml modifications. Employ additional security measures, such as a Web Application Firewall (WAF) or intrusion detection rules, to monitor for known Liferay exploits. Regularly apply updates and patches provided by the Liferay community or vendor to address emerging threats. Finally, conduct periodic security assessments to confirm that no additional information is leaked and that your deployment remains aligned with best practices.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification