Foros de discusión
Liferay 6.1.0 GA1 XSS Vulnerabilities
Dikie Rendra Aditya, modificado hace 9 años.
Liferay 6.1.0 GA1 XSS Vulnerabilities
New Member Mensajes: 14 Fecha de incorporación: 11/03/09 Mensajes recientes
Dear Liferay Experts,
We are currently having issues of XSS vulnerabilities from our Liferay 6.1.0 CE GA1 deployment, discovered in the following URL and parameter:
/home/ [_58_struts_action parameter]
/home/ [p_p_mode parameter]
/home/ [p_p_state parameter]
/combo/ [m parameter]
/home/ [_58_doActionAfterLogin parameter]
/home/ [p_auth parameter]
/home/ [p_p_col parameter]
/home/ [p_p_id parameter]
/home/ [p_p_lifecycle parameter]
/home/ [saveLastPath parameter]
Please help on how to resolve this issue.
Best Regards,
Dikie Aditya.
We are currently having issues of XSS vulnerabilities from our Liferay 6.1.0 CE GA1 deployment, discovered in the following URL and parameter:
/home/ [_58_struts_action parameter]
/home/ [p_p_mode parameter]
/home/ [p_p_state parameter]
/combo/ [m parameter]
/home/ [_58_doActionAfterLogin parameter]
/home/ [p_auth parameter]
/home/ [p_p_col parameter]
/home/ [p_p_id parameter]
/home/ [p_p_lifecycle parameter]
/home/ [saveLastPath parameter]
Please help on how to resolve this issue.
Best Regards,
Dikie Aditya.
Tomas Polesovsky, modificado hace 9 años.
RE: Liferay 6.1.0 GA1 XSS Vulnerabilities
Liferay Master Mensajes: 676 Fecha de incorporación: 13/02/09 Mensajes recientes
Hi Dikie,
I wasn't able to reproduce it. I believe all these are so-called "false-positives".
Can you please share the HTTP request + response to verify it?
Also please look at https://www.liferay.com/community/security-team/known-vulnerabilities and apply patches to known vulnerabilities.
Regards,
Tomas
I wasn't able to reproduce it. I believe all these are so-called "false-positives".
Can you please share the HTTP request + response to verify it?
Also please look at https://www.liferay.com/community/security-team/known-vulnerabilities and apply patches to known vulnerabilities.
Regards,
Tomas
Dikie Rendra Aditya, modificado hace 9 años.
RE: Liferay 6.1.0 GA1 XSS Vulnerabilities
New Member Mensajes: 14 Fecha de incorporación: 11/03/09 Mensajes recientes
Hi Tomas,
Thanks for the reply, I'm having this issue with Internet Explorer 11, while injecting this code:
Regards,
Dikie Aditya
Thanks for the reply, I'm having this issue with Internet Explorer 11, while injecting this code:
_58_struts_action=%2Flogin%2Floginb254a"><script>alert(1)</script>30bbb&_58_doActionAfterLogin=false
Regards,
Dikie Aditya
Samuel Kong, modificado hace 9 años.
RE: Liferay 6.1.0 GA1 XSS Vulnerabilities
Liferay Legend Mensajes: 1902 Fecha de incorporación: 10/03/08 Mensajes recientes
Hi Dikie
As Tomas mentioned, this is a known issue and is resolved in the patch for LPS-48071
The patches on the CST is for 6.2, so you'll need to either upgrade to 6.2 or use the source code and create a patch yourself.
As Tomas mentioned, this is a known issue and is resolved in the patch for LPS-48071
The patches on the CST is for 6.2, so you'll need to either upgrade to 6.2 or use the source code and create a patch yourself.