Forums de discussion

  1. Accueil
  2. Development
  3. liferay-6.2EE Cross site scripting

liferay-6.2EE Cross site scripting

gary b, modifié il y a 8 années.

liferay-6.2EE Cross site scripting

Junior Member Publications: 81 Date d'inscription: 02/02/13 Publications récentes
Hi,

We are using liferay-6.2EESP5-jboss-6.1.0-EAP for our portal.
It was observed that the our application renders the user supplied scripts in the browser resulting in Cross site scripting attacks.
one of the example is below:
While capturing the request in proxy tools and append the Payload “><script>alert (document. Cookie) </script> in the url, it is getting executed and displaying the session ID and also giving 200 ok success message on browser console.

We need to prevent our site from cross site attack. Please let me know how to achieve this.

Thanks in Advance.
thumbnail
Patrick Wolf, modifié il y a 8 années.

RE: liferay-6.2EE Cross site scripting

Regular Member Publications: 127 Date d'inscription: 15/09/10 Publications récentes
We need to prevent our site from cross site attack. Please let me know how to achieve this.


As you get the enterprise edition, did you get hold of someone who can help you at Liferay or did you create an issue in Liferay JIRA?
thumbnail
Patrick Wolf, modifié il y a 8 années.

RE: liferay-6.2EE Cross site scripting

Regular Member Publications: 127 Date d'inscription: 15/09/10 Publications récentes
You are not the only one. Look at this thread
thumbnail
David H Nebinger, modifié il y a 8 années.

RE: liferay-6.2EE Cross site scripting

Liferay Legend Publications: 14915 Date d'inscription: 02/09/06 Publications récentes
gary b:
We are using liferay-6.2EESP5-jboss-6.1.0-EAP for our portal.


Well that's your mistake. If you are an EE subscriber and you were actually concerned about security you wouldn't be sitting at SP5 you would have been patching all along due to the email notifications you receive about vulnerabilities and resolutions.

We need to prevent our site from cross site attack. Please let me know how to achieve this.


It will sound cruel, but if you don't want to maintain your environment perhaps you should hire someone who will...