Fórumok
Liferay Cross Site Scripting (XSS) Issues
Rakesh Gupta, módosítva 9 év-val korábban
Liferay Cross Site Scripting (XSS) Issues
New Member Bejegyzések: 9 Csatlakozás dátuma: 2009.07.19. Legújabb bejegyzések
We have used a tool called Burpsuite and run it against a liferay installation and we have come out with a huge amount of XSS Issues with liferay. Basically any input is not validated and user's can inject <script>alert(1);</script> tags into liferay by just utilising the url's. Especially so if we hit the error page and we inject a script tag in the header, the error message page loads with the script executed.
The antisamy plugin is for web content. Is there a way to automatically escape all fields being posted even before liferay run's their code to process the page's content ? I know that somethimes we may want the parameters unescaped, but from a security perspective, that would be better than trying to fix 100's of location where this vulnerability exists. Basically everywhere.
The antisamy plugin is for web content. Is there a way to automatically escape all fields being posted even before liferay run's their code to process the page's content ? I know that somethimes we may want the parameters unescaped, but from a security perspective, that would be better than trying to fix 100's of location where this vulnerability exists. Basically everywhere.
Tomas Polesovsky, módosítva 9 év-val korábban
RE: Liferay Cross Site Scripting (XSS) Issues
Liferay Master Bejegyzések: 676 Csatlakozás dátuma: 2009.02.13. Legújabb bejegyzések
Hi Rakesh,
all <aui:input*> values should be safe from XSS.
Anyway, if you feel that there is XSS in portal, feel free to report security issue - https://www.liferay.com/security.
Thank you!
all <aui:input*> values should be safe from XSS.
Anyway, if you feel that there is XSS in portal, feel free to report security issue - https://www.liferay.com/security.
Thank you!