Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Kazutaka KAMIYA
Liferay Portal p_p_id parameter vulnerable to persistent cross-site script
January 21, 2010 12:36 AM
Answer

Kazutaka KAMIYA

Rank: New Member

Posts: 5

Join Date: November 26, 2009

Recent Posts

Hi,

I found this report recently.

US-CERT Vulnerability Note VU#750796



Liferay Portal p_p_id parameter vulnerable to persistent cross-site scripting



http://www.kb.cert.org/vuls/id/750796



To solve this problem, should I obtain the source code of 5.3 from Subversion?
Now, We are developing using 5.2.3 ext and plugin_sdk.
Is there compatibility of 5.2 and 5.3?

Thanks.
Lisa Simpson
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
January 21, 2010 11:33 AM
Answer

Lisa Simpson

Rank: Liferay Legend

Posts: 2034

Join Date: March 5, 2009

Recent Posts

I truly wish that Liferay would but an announcement portlet in the control panel for administrators and omni-admins so that they could push out important announcements like that to all of their users.
Olaf Kock
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
January 21, 2010 12:44 PM
Answer

Olaf Kock

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2105

Join Date: September 23, 2008

Recent Posts

Lisa Simpson:
I truly wish that Liferay would but an announcement portlet in the control panel for administrators and omni-admins so that they could push out important announcements like that to all of their users.


The good news is, that now you can do this yourself - at least in unpatched versions.

(ducks and hides in the dark)
Olaf Kock
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
January 21, 2010 12:50 PM
Answer

Olaf Kock

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2105

Join Date: September 23, 2008

Recent Posts

Look at the patches in the FishEye tab at LPS-6034 and see if the patches to trunk still apply without any work to the 5.2.3 codebase. Chances are that - when the code has changed - you have to look in a different line, but not in a different class.
Kazutaka KAMIYA
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
January 28, 2010 3:26 AM
Answer

Kazutaka KAMIYA

Rank: New Member

Posts: 5

Join Date: November 26, 2009

Recent Posts

Thank you for your advice.

I read FishEye. Therefore I understood that there was a difference in 5.2.3 and 6.0.0 (5.3).
Because there was not a function called HtmlUtil#escapeJS in 5.2.3, I decided to use org.apache.commons.lang.StringEscapeUtils#escapeJavaScript instead.

However, I worry by this method about correct.
Olaf Kock
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
January 29, 2010 10:08 AM
Answer

Olaf Kock

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2105

Join Date: September 23, 2008

Recent Posts

Kazutaka KAMIYA:
Because there was not a function called HtmlUtil#escapeJS in 5.2.3, I decided to use org.apache.commons.lang.StringEscapeUtils#escapeJavaScript instead.

You could also just add HtmlUtil to the backport and add it to the patch. This way you'd have the same effect as the patch from FishEye
Chris Kauffman
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
July 9, 2010 2:23 PM
Answer

Chris Kauffman

Rank: New Member

Posts: 21

Join Date: November 18, 2008

Recent Posts

I need to back port this fix into a 5.1.2 code base. However, fisheye is down for the count with no hope of ever coming back. Can someone post what was actually changed to fix this?

Thank you,
Olaf Kock
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
July 12, 2010 2:30 AM
Answer

Olaf Kock

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2105

Join Date: September 23, 2008

Recent Posts

With fisheye being down, my only guess would be to hunt down the relevant commit in svn with your favourite svn client. The commits contain the ticket number as comment.

Sorry