OS Command Injection, LDAP and XPath injection flaws

Foros de discusión

Vishal Kumar, modificado hace 11 años.

OS Command Injection, LDAP and XPath injection flaws

Regular Member Mensajes: 198 Fecha de incorporación: 12/12/12 Mensajes recientes

Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws

Hitoshi Ozawa, modificado hace 11 años.

RE: OS Command Injection, LDAP and XPath injection flaws

Liferay Legend Mensajes: 7942 Fecha de incorporación: 24/03/10 Mensajes recientes

If you find any security flaw, please create a new liferay issue in the jira.

Vishal Kumar, modificado hace 11 años.

RE: OS Command Injection, LDAP and XPath injection flaws

Regular Member Mensajes: 198 Fecha de incorporación: 12/12/12 Mensajes recientes

Hitoshi Ozawa:

If you find any security flaw, please create a new liferay issue in the jira.

Definitely Hitoshi.
Thanks for the reply.

David H Nebinger, modificado hace 11 años.

RE: OS Command Injection, LDAP and XPath injection flaws

Liferay Legend Mensajes: 14915 Fecha de incorporación: 2/09/06 Mensajes recientes

Vishal Kumar:

Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws

Liferay does not allow you to invoke any OS commands directly, so you're good there.

There is no direct connection between what the user can do and LDAP (LDAP is sync'd w/ user profile changes, so as long as the user profile change passes validation, the data is valid and will be pushed indirectly to LDAP), so you're good there.

Liferay does not allow you to invoke any XPath type queries directly, so you should be good there too.

Most of the time these kinds of security problems would be introduced by your own custom portlets exposing this kind of functionality. I'd suggest doing security reviews of your own code over the Liferay core.