留言板
Liferay 6.1.0 GA1 XSS Vulnerabilities
Dikie Rendra Aditya,修改在9 年前。
Liferay 6.1.0 GA1 XSS Vulnerabilities
New Member 帖子: 14 加入日期: 09-3-11 最近的帖子
Dear Liferay Experts,
We are currently having issues of XSS vulnerabilities from our Liferay 6.1.0 CE GA1 deployment, discovered in the following URL and parameter:
/home/ [_58_struts_action parameter]
/home/ [p_p_mode parameter]
/home/ [p_p_state parameter]
/combo/ [m parameter]
/home/ [_58_doActionAfterLogin parameter]
/home/ [p_auth parameter]
/home/ [p_p_col parameter]
/home/ [p_p_id parameter]
/home/ [p_p_lifecycle parameter]
/home/ [saveLastPath parameter]
Please help on how to resolve this issue.
Best Regards,
Dikie Aditya.
We are currently having issues of XSS vulnerabilities from our Liferay 6.1.0 CE GA1 deployment, discovered in the following URL and parameter:
/home/ [_58_struts_action parameter]
/home/ [p_p_mode parameter]
/home/ [p_p_state parameter]
/combo/ [m parameter]
/home/ [_58_doActionAfterLogin parameter]
/home/ [p_auth parameter]
/home/ [p_p_col parameter]
/home/ [p_p_id parameter]
/home/ [p_p_lifecycle parameter]
/home/ [saveLastPath parameter]
Please help on how to resolve this issue.
Best Regards,
Dikie Aditya.
Tomas Polesovsky,修改在9 年前。
RE: Liferay 6.1.0 GA1 XSS Vulnerabilities
Liferay Master 帖子: 676 加入日期: 09-2-13 最近的帖子
Hi Dikie,
I wasn't able to reproduce it. I believe all these are so-called "false-positives".
Can you please share the HTTP request + response to verify it?
Also please look at https://www.liferay.com/community/security-team/known-vulnerabilities and apply patches to known vulnerabilities.
Regards,
Tomas
I wasn't able to reproduce it. I believe all these are so-called "false-positives".
Can you please share the HTTP request + response to verify it?
Also please look at https://www.liferay.com/community/security-team/known-vulnerabilities and apply patches to known vulnerabilities.
Regards,
Tomas
Dikie Rendra Aditya,修改在9 年前。
RE: Liferay 6.1.0 GA1 XSS Vulnerabilities
New Member 帖子: 14 加入日期: 09-3-11 最近的帖子
Hi Tomas,
Thanks for the reply, I'm having this issue with Internet Explorer 11, while injecting this code:
Regards,
Dikie Aditya
Thanks for the reply, I'm having this issue with Internet Explorer 11, while injecting this code:
_58_struts_action=%2Flogin%2Floginb254a"><script>alert(1)</script>30bbb&_58_doActionAfterLogin=false
Regards,
Dikie Aditya
Samuel Kong,修改在9 年前。
RE: Liferay 6.1.0 GA1 XSS Vulnerabilities
Liferay Legend 帖子: 1902 加入日期: 08-3-10 最近的帖子
Hi Dikie
As Tomas mentioned, this is a known issue and is resolved in the patch for LPS-48071
The patches on the CST is for 6.2, so you'll need to either upgrade to 6.2 or use the source code and create a patch yourself.
As Tomas mentioned, this is a known issue and is resolved in the patch for LPS-48071
The patches on the CST is for 6.2, so you'll need to either upgrade to 6.2 or use the source code and create a patch yourself.