Fórumok

  1. Nyitólap
  2. Development
  3. Liferay Portal PCE contains multiple cross-site scripting vulnerabilities

Liferay Portal PCE contains multiple cross-site scripting vulnerabilities

thumbnail
Shin Sameshima, módosítva 9 év-val korábban

Liferay Portal PCE contains multiple cross-site scripting vulnerabilities

New Member Bejegyzések: 11 Csatlakozás dátuma: 2013.08.03. Legújabb bejegyzések
Hi, everybody.
I noted the following vulnerability. Is Liferay 6.2 affected to this vulnerability?

http://www.kb.cert.org/vuls/id/100972

Description
---------------------------
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-2963
Liferay is affected by a Persistent Cross Site Scripting vulnerability in the "my account area".
The specific versions affected are: Liferay Portal Community Edition 6.1.2 CE GA3, 6.1.X EE, 6.2.X EE, Master
Three instances of this issue were identified, at the following locations/parameters:

/group/control_panel/manage [_2_firstName parameter]
/group/control_panel/manage [_2_lastName parameter]
/group/control_panel/manage [_2_middleName parameter]
---------------------------

Regards
thumbnail
Tomas Polesovsky, módosítva 9 év-val korábban

RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti

Liferay Master Bejegyzések: 676 Csatlakozás dátuma: 2009.02.13. Legújabb bejegyzések
Hi,

yes, 6.2 is vulnerable. We addressed the vulnerability and we are building patches for 6.1 EE, 6.2 EE + 6.2 CE GA2 (6.2.1).

Please monitor our customer portal for EE patches and CST known vulnerabilities page for CE patch.

Thank you.
thumbnail
Shin Sameshima, módosítva 9 év-val korábban

RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti

New Member Bejegyzések: 11 Csatlakozás dátuma: 2013.08.03. Legújabb bejegyzések
Hi,tomas
Thank you for your quick reply.
Please tell me about Jira No.(LPS-*****) of CVE-2014-2963.
I can't look for description of XSS issue in "my account area".

Regards.
thumbnail
Tomas Polesovsky, módosítva 9 év-val korábban

RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti (Válasz)

Liferay Master Bejegyzések: 676 Csatlakozás dátuma: 2009.02.13. Legújabb bejegyzések
Hi Shin,

it's LPS-46156 but only Community Security Team members can see the details.
thumbnail
Shin Sameshima, módosítva 9 év-val korábban

RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti

New Member Bejegyzések: 11 Csatlakozás dátuma: 2013.08.03. Legújabb bejegyzések
Hi,tomas.
I wait LPS-46156 which will be fixed.
Thank you .
raghu batchu, módosítva 9 év-val korábban

RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti

New Member Bejegyzések: 9 Csatlakozás dátuma: 2009.08.23. Legújabb bejegyzések
Hi

If this is fixed please let me know the patch location for 6.0 and 6.1 EE.

Thanks
Raghu Batchu
gary b, módosítva 8 év-val korábban

RE: Liferay Portal PCE contains multiple cross-site scripting vulnerabiliti

Junior Member Bejegyzések: 81 Csatlakozás dátuma: 2013.02.02. Legújabb bejegyzések
Hi,

We are using liferay-6.2EESP5-jboss-6.1.0-EAP for our portal.
It was observed that the our application renders the user supplied scripts in the browser resulting in Cross site scripting attacks.
one of the example is below:
While capturing the request in proxy tools and append the Payload “><script>alert (document. Cookie) </script> in the url, it is getting executed and displaying the session ID and also giving 200 ok success on console.

We need to prevent our site from cross site attack. Please let me know how to resolve this.

Thanks in Advance.