<img alt="Liferay" height="36" src="http://cdn.www.liferay.com/osb-www-theme/images/custom/heading.png" width="146" />

Hi,

I found this report recently.

US-CERT Vulnerability Note VU#750796   
Liferay Portal p_p_id parameter vulnerable to persistent cross-site scripting    http://www.kb.cert.org/vuls/id/750796 

To solve this problem, should I obtain the source code of 5.3 from Subversion?
Now, We are developing using 5.2.3 ext and plugin_sdk.
Is there compatibility of 5.2 and 5.3?

Thanks.

RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr

January 21, 2010 11:33 AM

Answer

Lisa Simpson

Rank: Liferay Legend

Posts: 2034

Join Date: March 5, 2009

I truly wish that Liferay would but an announcement portlet in the control panel for administrators and omni-admins so that they could push out important announcements like that to all of their users.

Mark as an Answer

RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr

January 21, 2010 12:44 PM

Answer

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1437

Join Date: September 23, 2008

Lisa Simpson:

The good news is, that now you can do this yourself - at least in unpatched versions.

(ducks and hides in the dark)

Mark as an Answer

RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr

January 21, 2010 12:50 PM

Answer

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1437

Join Date: September 23, 2008

Look at the patches in the FishEye tab at LPS-6034 and see if the patches to trunk still apply without any work to the 5.2.3 codebase. Chances are that - when the code has changed - you have to look in a different line, but not in a different class.

Mark as an Answer

RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr

January 28, 2010 3:26 AM

Answer

Kazutaka KAMIYA

Rank: New Member

Posts: 5

Join Date: November 26, 2009

Thank you for your advice.

I read FishEye. Therefore I understood that there was a difference in 5.2.3 and 6.0.0 (5.3).
Because there was not a function called HtmlUtil#escapeJS in 5.2.3, I decided to use org.apache.commons.lang.StringEscapeUtils#escapeJavaScript instead.

However, I worry by this method about correct.

Mark as an Answer

RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr

January 29, 2010 10:08 AM

Answer

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1437

Join Date: September 23, 2008

Kazutaka KAMIYA:

Because there was not a function called HtmlUtil#escapeJS in 5.2.3, I decided to use org.apache.commons.lang.StringEscapeUtils#escapeJavaScript instead.

You could also just add HtmlUtil to the backport and add it to the patch. This way you'd have the same effect as the patch from FishEye

Mark as an Answer

RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr

July 9, 2010 2:23 PM

Answer

Chris Kauffman

Rank: New Member

Posts: 21

Join Date: November 18, 2008

I need to back port this fix into a 5.1.2 code base. However, fisheye is down for the count with no hope of ever coming back. Can someone post what was actually changed to fix this?

Thank you,

Mark as an Answer

RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr

July 12, 2010 2:30 AM

Answer

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1437

Join Date: September 23, 2008

With fisheye being down, my only guess would be to hunt down the relevant commit in svn with your favourite svn client. The commits contain the ticket number as comment.

Sorry