Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Vishal Kumar
OS Command Injection, LDAP and XPath injection flaws
December 12, 2012 10:10 PM
Answer

Vishal Kumar

Rank: Regular Member

Posts: 197

Join Date: December 11, 2012

Recent Posts

Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws
Hitoshi Ozawa
RE: OS Command Injection, LDAP and XPath injection flaws
December 30, 2012 9:37 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7949

Join Date: March 23, 2010

Recent Posts

If you find any security flaw, please create a new liferay issue in the jira.
Vishal Kumar
RE: OS Command Injection, LDAP and XPath injection flaws
December 31, 2012 12:00 AM
Answer

Vishal Kumar

Rank: Regular Member

Posts: 197

Join Date: December 11, 2012

Recent Posts

Hitoshi Ozawa:
If you find any security flaw, please create a new liferay issue in the jira.


Definitely Hitoshi.
Thanks for the reply.
David H Nebinger
RE: OS Command Injection, LDAP and XPath injection flaws
December 31, 2012 5:48 AM
Answer

David H Nebinger

Community Moderator

Rank: Liferay Legend

Posts: 9234

Join Date: September 1, 2006

Recent Posts

Vishal Kumar:
Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws


Liferay does not allow you to invoke any OS commands directly, so you're good there.

There is no direct connection between what the user can do and LDAP (LDAP is sync'd w/ user profile changes, so as long as the user profile change passes validation, the data is valid and will be pushed indirectly to LDAP), so you're good there.

Liferay does not allow you to invoke any XPath type queries directly, so you should be good there too.

Most of the time these kinds of security problems would be introduced by your own custom portlets exposing this kind of functionality. I'd suggest doing security reviews of your own code over the Liferay core.