Vista combinada Visión Plana Vista de árbol
Discusiones [ Anterior | Siguiente ]
toggle
Vishal Kumar
OS Command Injection, LDAP and XPath injection flaws
12 de diciembre de 2012 22:10
Respuesta

Vishal Kumar

Ranking: Regular Member

Mensajes: 197

Fecha de incorporación: 11 de diciembre de 2012

Mensajes recientes

Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws
Hitoshi Ozawa
RE: OS Command Injection, LDAP and XPath injection flaws
30 de diciembre de 2012 21:37
Respuesta

Hitoshi Ozawa

Ranking: Liferay Legend

Mensajes: 7952

Fecha de incorporación: 23 de marzo de 2010

Mensajes recientes

If you find any security flaw, please create a new liferay issue in the jira.
Vishal Kumar
RE: OS Command Injection, LDAP and XPath injection flaws
31 de diciembre de 2012 0:00
Respuesta

Vishal Kumar

Ranking: Regular Member

Mensajes: 197

Fecha de incorporación: 11 de diciembre de 2012

Mensajes recientes

Hitoshi Ozawa:
If you find any security flaw, please create a new liferay issue in the jira.


Definitely Hitoshi.
Thanks for the reply.
David H Nebinger
RE: OS Command Injection, LDAP and XPath injection flaws
31 de diciembre de 2012 5:48
Respuesta

David H Nebinger

Community Moderator

Ranking: Liferay Legend

Mensajes: 8955

Fecha de incorporación: 1 de septiembre de 2006

Mensajes recientes

Vishal Kumar:
Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws


Liferay does not allow you to invoke any OS commands directly, so you're good there.

There is no direct connection between what the user can do and LDAP (LDAP is sync'd w/ user profile changes, so as long as the user profile change passes validation, the data is valid and will be pushed indirectly to LDAP), so you're good there.

Liferay does not allow you to invoke any XPath type queries directly, so you should be good there too.

Most of the time these kinds of security problems would be introduced by your own custom portlets exposing this kind of functionality. I'd suggest doing security reviews of your own code over the Liferay core.