Community Security Team

The Liferay Community Security Team is an all-volunteer group of community members who manage security issues related to Liferay Portal.

Known Vulnerabilities

The following vulnerabilities are known to exist in Liferay Portal CE.  Users of older releases are strongly encouraged to upgrade to the latest Liferay Portal CE release.  Patches are only produced for the latest Liferay Portal CE release.  Source code modifications may be possible on older releases, but care must be taken to backport fixes that may not apply to older releases.

To obtain source or binary patches for each of the vulnerabilities, click on the name of the vulnerability, and look for links for source and binary patches.  To obtain a single cumulative source or binary patch for all known vulnerabilities, visit the Patch Details section of the CST Process page.  Note that the availability of the single cumulative binary patch may lag a day or two behind availability of the associated source patches.  

Quick Links

CST-SA: LPS-33764 Various XSS Issues in Liferay 6.1.1

Date

Tue, 02 Apr 2013 19:48:25 +0000

Title

CST-SA: LPS-33764 Various XSS Issues in Liferay 6.1.1

Description

This fix groups several minor XSS issues discovered in Liferay Portal 6.1.1 in to a single CST patch. The following fixes are included:

LPS-29044 XSS issues in document & wiki comparison - Ability to inject javascript into wiki page and cause viewer to execute it when diffing wiki page versions.

LPS-31387 XSS Vulnerability in password reset process' reminder query question field - If a user specifies the following reminder query question as it's own question: "><script>alert('question')</script> then during the password reset process, the script will be executed when the user passes the captcha and redirected to the reminder query question.

LPS-31411 Announcements: Manage Entries vulnerable to XSS in site names - If a script is present in any site name; when a user clicks Manage Entries in the Announcements portlet, the script will be run.

LPS-31422 XSS vulnerability in calendar portlet (event type) - Modification of URL used to submit new calendar entries allows arbitrary javascript execution

LPS-31556 XSS issue in wiki comparision using url manipulation - Ability to inject javascript into wiki page and cause viewer to execute it when diffing wiki page versions. Similar, but different, to LPS-29044.

LPS-31642 XSS Vulnerability in Site membership request form - Ability to execute script injected into site name.

LPS-31644 XSS vulnerability in Custom Fields - ability to execute arbitrary script injected into name of custom fields.

LPS-31778 XSS vulnerability in Dynamic Data Lists

LPS-31823 XSS in Search portlet if results are displayed in document form - Putting javascript into title of assets causes search portlet to execute it in client browser (i.e. it's not properly sanitized).

LPS-31824 XSS vulnerability in Wiki preview - Putting javascript into wiki page using HTML source works (sanitizes) the first time, but fails to properly sanitize after editing and previewing the edit.

LPS-32064 XSS in My Account's Custom Fields - Ability to execute script injected into name of custom fields for "My Account"

LPS-32201 XSS issue in Portal Instances forms - Ability to execute script injected into name of portal instance, when viewing the list of portal instances in Control Panel.

LPS-32528 Category's Description is not properly escaped in Category view form - Ability to execute script injected into name of asset categories when viewing the list of categories.

LPS-32529 Prevent XSS in Search Portlet Facets - Ability to cause script to be executed by injecting malicious code into a web content category, and viewing it via the faceted search portlet.

LPS-32562 XSS issues in Panel layout type - scripts can be executed by embedding them into name and description of the page when page type is Panel and then displaying the page.

LPS-33183 XSS vulnerability on page which type is "Embedded" - same as LPS-32562 but with page type "Embedded" and the script in the URL field.

LPS-33275 XSS vulnerability in Message Boards categories - Ability to execute scripts that are placed into the name of a subcategory.

LPS-33477 the javascript injection issue(XSS) occurs when the Reviewer is viewing comments of pending status in My Workflow Tasks Ability to execute javascript injected into a Blog comment, when comments are workflow-enabled.

 

Severity

Severity 2

Workaround

None

Issue Links

Note that some or all of these may not yet be accessible. The CST remains committed to full disclosure of all security issues once fully resolved.

Patching Instructions

See the Community Security Team Process page for details on working with source and binary patches.

Binary Patch Links

Note: The below links point to a download page which contains multiple binary patches with the following naming scheme: <Liferay-Version>-security-<patch-version>.zip. Be sure to use the latest patch for your Liferay release!

Note: Binary patches only apply to the release with which this issue is associated. Applying a binary patch to any other release will probably result in a broken install!

Source Patch Links

Note that source patches only apply to the release with which this issue is associated. Applying a source patch to any other release will probably result in a broken install! For Github URLs suffixed with .patch, removing this suffix will yield a graphical view of the patch

Credit

This issue contains multiple sub-issues discovered and reported by Hai Yu, Gergely Mathe, Neil Jin, Tom Polesovsky, Vilmos Papp, Laszlo Csontos, Tamas Molnar, Daniel Reuther, and Jeffrey Yang