Forums de discussion

  1. Accueil
  2. Development
  3. Security Issue In Liferay 6.1.0 CE & EE

Security Issue In Liferay 6.1.0 CE & EE

Manoj GT, modifié il y a 11 années.

Security Issue In Liferay 6.1.0 CE & EE

Junior Member Publications: 26 Date d'inscription: 06/04/12 Publications récentes
Hi,

We used Security AppScan to scan Liferay 6.1.0 CE & EE for security problems and we got an issue “Flash parameter AllowScriptAccess was set to always”.

And the AppScan also recommends to set the "AllowScriptAccess" parameter to 'sameDomain' which tells the Flash Player that only SWF files loaded from the same domain as the parent SWF will have script access to the hosting web page.

I have searched in Liferay ROOT folder and got around 35 .js files which has this parameter (AllowScriptAccess).

Do anyone have solution approach to fix the same directly or using any workaround? or having any idea of impact of changing the value of AllowScriptAccess from "always" to "samedomain"?

Regards,
Manoj GT
thumbnail
Hitoshi Ozawa, modifié il y a 11 années.

RE: Security Issue In Liferay 6.1.0 CE & EE

Liferay Legend Publications: 7942 Date d'inscription: 24/03/10 Publications récentes
6.1.0 GA1 has several XSS and permission issues that were fixed in 6.1.1GA2. Can you check if security issue still exists in 6.1.1 GA2?
Manoj GT, modifié il y a 11 années.

RE: Security Issue In Liferay 6.1.0 CE & EE

Junior Member Publications: 26 Date d'inscription: 06/04/12 Publications récentes
Thanks Hitoshi Ozawa for your response.

I have also checked in 6.1.1GA2 edition and still the parameter "AllowScriptAccess" is set to "always".

Do you have any idea about Liferay having any security check for avoiding injection of SWF file from other domain ?

Regards,
Manoj-GT
thumbnail
Hitoshi Ozawa, modifié il y a 11 années.

RE: Security Issue In Liferay 6.1.0 CE & EE

Liferay Legend Publications: 7942 Date d'inscription: 24/03/10 Publications récentes
I haven't seen any. Please create a new jira issue.
siva rajendran, modifié il y a 8 années.

RE: Security Issue In Liferay 6.1.0 CE & EE

New Member Publications: 4 Date d'inscription: 12/07/15 Publications récentes
I have faced the same issue . security scan says that,
"Flash parameter AllowScriptAccess was set to always"

and the Fix recomendation is as follows :

"Set the AllowScriptAccess parameter to 'sameDomain' which tells the Flash Player that only SWF files loaded from the same domain as the parent SWF will have script access to the hosting web page"

Am using "Liferay Portal Community Edition 6.2 CE GA2 (Newton / Build 6201 / March 20, 2014)".

Can any one suggest a solution for this. How to set it to "sameDomain". I guess there will be a proper fix for this issue by this time .

Thanks in advance
thumbnail
David H Nebinger, modifié il y a 8 années.

RE: Security Issue In Liferay 6.1.0 CE & EE

Liferay Legend Publications: 14919 Date d'inscription: 02/09/06 Publications récentes
You're opening a 3 year old thread on an old version of Liferay. You're probably not going to get much visibility on this. Open a new thread instead.
siva rajendran, modifié il y a 8 années.

RE: Security Issue In Liferay 6.1.0 CE & EE

New Member Publications: 4 Date d'inscription: 12/07/15 Publications récentes
I have created a new thread here.
https://www.liferay.com/community/forums/-/message_boards/message/56250310

Help me to get a solution.
Thanks in advance.