Liferay Cross Site Scripting (XSS) Issues

Fórumok

Rakesh Gupta, módosítva 9 év-val korábban

Liferay Cross Site Scripting (XSS) Issues

New Member Bejegyzések: 9 Csatlakozás dátuma: 2009.07.19. Legújabb bejegyzések

We have used a tool called Burpsuite and run it against a liferay installation and we have come out with a huge amount of XSS Issues with liferay. Basically any input is not validated and user's can inject <script>alert(1);</script> tags into liferay by just utilising the url's. Especially so if we hit the error page and we inject a script tag in the header, the error message page loads with the script executed.

The antisamy plugin is for web content. Is there a way to automatically escape all fields being posted even before liferay run's their code to process the page's content ? I know that somethimes we may want the parameters unescaped, but from a security perspective, that would be better than trying to fix 100's of location where this vulnerability exists. Basically everywhere.

Tomas Polesovsky, módosítva 9 év-val korábban

RE: Liferay Cross Site Scripting (XSS) Issues

Liferay Master Bejegyzések: 676 Csatlakozás dátuma: 2009.02.13. Legújabb bejegyzések

Hi Rakesh,

all <aui:input*> values should be safe from XSS.

Anyway, if you feel that there is XSS in portal, feel free to report security issue - https://www.liferay.com/security.

Thank you!