留言板

Liferay 6.1.0 GA1 XSS Vulnerabilities

thumbnail
Dikie Rendra Aditya,修改在9 年前。

Liferay 6.1.0 GA1 XSS Vulnerabilities

New Member 帖子: 14 加入日期: 09-3-11 最近的帖子
Dear Liferay Experts,

We are currently having issues of XSS vulnerabilities from our Liferay 6.1.0 CE GA1 deployment, discovered in the following URL and parameter:

/home/ [_58_struts_action parameter]
/home/ [p_p_mode parameter]
/home/ [p_p_state parameter]
/combo/ [m parameter]
/home/ [_58_doActionAfterLogin parameter]
/home/ [p_auth parameter]
/home/ [p_p_col parameter]
/home/ [p_p_id parameter]
/home/ [p_p_lifecycle parameter]
/home/ [saveLastPath parameter]

Please help on how to resolve this issue.

Best Regards,
Dikie Aditya.
thumbnail
Tomas Polesovsky,修改在9 年前。

RE: Liferay 6.1.0 GA1 XSS Vulnerabilities

Liferay Master 帖子: 676 加入日期: 09-2-13 最近的帖子
Hi Dikie,

I wasn't able to reproduce it. I believe all these are so-called "false-positives".

Can you please share the HTTP request + response to verify it?

Also please look at https://www.liferay.com/community/security-team/known-vulnerabilities and apply patches to known vulnerabilities.

Regards,
Tomas
thumbnail
Dikie Rendra Aditya,修改在9 年前。

RE: Liferay 6.1.0 GA1 XSS Vulnerabilities

New Member 帖子: 14 加入日期: 09-3-11 最近的帖子
Hi Tomas,

Thanks for the reply, I'm having this issue with Internet Explorer 11, while injecting this code:


_58_struts_action=%2Flogin%2Floginb254a"&gt;<script>alert(1)</script>30bbb&amp;_58_doActionAfterLogin=false
 
 


Regards,
Dikie Aditya
thumbnail
Samuel Kong,修改在9 年前。

RE: Liferay 6.1.0 GA1 XSS Vulnerabilities

Liferay Legend 帖子: 1902 加入日期: 08-3-10 最近的帖子
Hi Dikie

As Tomas mentioned, this is a known issue and is resolved in the patch for LPS-48071

The patches on the CST is for 6.2, so you'll need to either upgrade to 6.2 or use the source code and create a patch yourself.