Forums

Home » Liferay Portal » English » 6. Portal Framework »

RSS (Opens New Window)

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Andy Maier
xss vulnerabilities
July 8, 2008 12:32 AM
Answer

Andy Maier

Rank: New Member

Posts: 17

Join Date: July 3, 2008

Recent Posts

hello!

i tested liferay portal 5.0.1 with tomcat 5.5 last week and found vulerabilities when inserting text into the text editor in the journal portlet and into the text fields on the input mask for creating users. i think that issue comprise all input fields especially these whose text is presented in a page afterwards.


regards,
a
Flag
Christoph H.
RE: xss vulnerabilities
July 8, 2008 2:56 PM
Answer

Christoph H.

Rank: Regular Member

Posts: 147

Join Date: July 31, 2007

Recent Posts

xss.allow=false in portal(-ext).properties
Flag
Andy Maier
RE: xss vulnerabilities
July 9, 2008 12:03 AM
Answer

Andy Maier

Rank: New Member

Posts: 17

Join Date: July 3, 2008

Recent Posts

hi!

thanks for your answer but where can i find this property file? i can't find it!

regards,
a
Flag
Andy Maier
RE: xss vulnerabilities
July 10, 2008 1:56 AM
Answer

Andy Maier

Rank: New Member

Posts: 17

Join Date: July 3, 2008

Recent Posts

ok i have overridden the xss.allow settings in the portal-ext.properties file in the \webapps\ROOT\WEB-INF\classes folder and it now looks like

##
## XSS (Cross Site Scripting)
##

    #
    # Set the following to false to ensure that all persisted data is stripped
    # of XSS hacks.
    #
    xss.allow=false

    #
    # You can override the "xss.allow" setting for a specific class by setting
    # the property "xss.allow" plus the class name.
    #
    xss.allow.com.liferay.portal.model.Portlet=false
    xss.allow.com.liferay.portal.model.PortletPreferences=false

    #
    # You can override the "xss.allow" setting for a specific field in a class
    # by setting the property "xss.allow" plus the class and field name.
    #
    xss.allow.com.liferay.portlet.journal.model.JournalArticle.content=false
    xss.allow.com.liferay.portlet.journal.model.JournalStructure.xsd=false
    xss.allow.com.liferay.portlet.journal.model.JournalTemplate.xsl=false


eventhough xss is still possible. any suggestions why it doesn't work?de
Flag
Andy Maier
RE: xss vulnerabilities
August 4, 2008 3:17 AM
Answer

Andy Maier

Rank: New Member

Posts: 17

Join Date: July 3, 2008

Recent Posts

nobody who can tell me if this are bugs or known issues?

my problems are that
- when i insert javascript in the name field of a user it gets executet.
- and when i add a article in the asset publisher and write some javascript in the title it also gets executet

and it shouldn't be possible for a user to insert javascript that gets executed. i have already set xss.allow to false in the portal-ext.properties file.
Flag
Jaime Israel Ramírez Hernández
RE: xss vulnerabilities
August 8, 2008 12:22 PM
Answer

Jaime Israel Ramírez Hernández

Rank: Regular Member

Posts: 115

Join Date: April 14, 2008

Recent Posts

Hello!!!

I'm getting the same results... seems like that property is not working (like the company.login.prepopulate.domain=false property on my portal emoticon ).
Flag