Forums de discussion
liferay-6.2EE Cross site scripting
gary b, modifié il y a 8 années.
liferay-6.2EE Cross site scripting
Junior Member Publications: 81 Date d'inscription: 02/02/13 Publications récentes
Hi,
We are using liferay-6.2EESP5-jboss-6.1.0-EAP for our portal.
It was observed that the our application renders the user supplied scripts in the browser resulting in Cross site scripting attacks.
one of the example is below:
While capturing the request in proxy tools and append the Payload “><script>alert (document. Cookie) </script> in the url, it is getting executed and displaying the session ID and also giving 200 ok success message on browser console.
We need to prevent our site from cross site attack. Please let me know how to achieve this.
Thanks in Advance.
We are using liferay-6.2EESP5-jboss-6.1.0-EAP for our portal.
It was observed that the our application renders the user supplied scripts in the browser resulting in Cross site scripting attacks.
one of the example is below:
While capturing the request in proxy tools and append the Payload “><script>alert (document. Cookie) </script> in the url, it is getting executed and displaying the session ID and also giving 200 ok success message on browser console.
We need to prevent our site from cross site attack. Please let me know how to achieve this.
Thanks in Advance.
Patrick Wolf, modifié il y a 8 années.
RE: liferay-6.2EE Cross site scripting
Regular Member Publications: 127 Date d'inscription: 15/09/10 Publications récentesWe need to prevent our site from cross site attack. Please let me know how to achieve this.
As you get the enterprise edition, did you get hold of someone who can help you at Liferay or did you create an issue in Liferay JIRA?
Patrick Wolf, modifié il y a 8 années.
RE: liferay-6.2EE Cross site scripting
Regular Member Publications: 127 Date d'inscription: 15/09/10 Publications récentes
David H Nebinger, modifié il y a 8 années.
RE: liferay-6.2EE Cross site scripting
Liferay Legend Publications: 14915 Date d'inscription: 02/09/06 Publications récentesgary b:
We are using liferay-6.2EESP5-jboss-6.1.0-EAP for our portal.
Well that's your mistake. If you are an EE subscriber and you were actually concerned about security you wouldn't be sitting at SP5 you would have been patching all along due to the email notifications you receive about vulnerabilities and resolutions.
We need to prevent our site from cross site attack. Please let me know how to achieve this.
It will sound cruel, but if you don't want to maintain your environment perhaps you should hire someone who will...