Foros de discusión
OS Command Injection, LDAP and XPath injection flaws
Vishal Kumar, modificado hace 11 años.
OS Command Injection, LDAP and XPath injection flaws
Regular Member Mensajes: 198 Fecha de incorporación: 12/12/12 Mensajes recientes
Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws
Hitoshi Ozawa, modificado hace 11 años.
RE: OS Command Injection, LDAP and XPath injection flaws
Liferay Legend Mensajes: 7942 Fecha de incorporación: 24/03/10 Mensajes recientes
If you find any security flaw, please create a new liferay issue in the jira.
Vishal Kumar, modificado hace 11 años.
RE: OS Command Injection, LDAP and XPath injection flaws
Regular Member Mensajes: 198 Fecha de incorporación: 12/12/12 Mensajes recientesHitoshi Ozawa:
If you find any security flaw, please create a new liferay issue in the jira.
Definitely Hitoshi.
Thanks for the reply.
David H Nebinger, modificado hace 11 años.
RE: OS Command Injection, LDAP and XPath injection flaws
Liferay Legend Mensajes: 14916 Fecha de incorporación: 2/09/06 Mensajes recientesVishal Kumar:
Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws
Liferay does not allow you to invoke any OS commands directly, so you're good there.
There is no direct connection between what the user can do and LDAP (LDAP is sync'd w/ user profile changes, so as long as the user profile change passes validation, the data is valid and will be pushed indirectly to LDAP), so you're good there.
Liferay does not allow you to invoke any XPath type queries directly, so you should be good there too.
Most of the time these kinds of security problems would be introduced by your own custom portlets exposing this kind of functionality. I'd suggest doing security reviews of your own code over the Liferay core.