[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Liferay Cross Site Scripting Flaw
From:       michael young <myoung () liferay ! com>
Date:       2004-11-25 16:27:53
Message-ID: 20041125162753.11380.qmail () www ! securityfocus ! com
[Download RAW message or body]

In-Reply-To: <A2A3422FEEB89D4DBFDF7692B7C737BACED1@mshyd2.hyd.deshaw.com>

The scripting flaw as been fixed as of version 2.2.0 release 10/1/2004. We urge all \
parties to upgrade their deployments.

> Received: (qmail 21320 invoked from network); 22 May 2004 22:20:19 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) \
> (205.206.231.26) by mail.securityfocus.com with SMTP; 22 May 2004 22:20:19 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> 	by outgoing2.securityfocus.com (Postfix) with QMQP
> 	id 88099143702; Sun, 23 May 2004 00:22:47 -0600 (MDT)
> Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq@securityfocus.com>
> List-Help: <mailto:bugtraq-help@securityfocus.com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
> Delivered-To: mailing list bugtraq@securityfocus.com
> Delivered-To: moderator for bugtraq@securityfocus.com
> Received: (qmail 6451 invoked from network); 22 May 2004 04:15:04 -0000
> content-class: urn:content-classes:message
> MIME-Version: 1.0
> Content-Type: text/plain;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
> Subject: Liferay Cross Site Scripting Flaw
> Date: Sat, 22 May 2004 16:00:27 +0530
> Message-ID: <A2A3422FEEB89D4DBFDF7692B7C737BACED1@mshyd2.hyd.deshaw.com>
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: Liferay Cross Site Scripting Flaw
> Thread-Index: AcPmpUmE91+L5WoMTe2EuP69XNlV6BZO3dmg
> From: "Giri, Sandeep" <giris@deshaw.com>
> To: <bugtraq@securityfocus.com>
> 
> Advisory Name: Liferay Cross Site Scripting flaw
> Release Date: 05/22/2004
> Application: Liferay (www.liferay.com)
> Author: Sandeep Giri
> Vendor Status: Notified ( 4 months ago)
> 
> Overview:
> (Taken from http://www.liferay.com/products/index.jsp)
> 
> Liferay Enterprise Portal was designed to:
> 
> Provide organizations with a single sign-on web interface for email,
> document 
> management, message board, and other useful communication tools.
> Multiple 
> authentication schemes (LDAP or SQL) are pooled together so users don't
> have 
> to remember a different login and password for every section of the
> portal.
> ...
> 
> Details:
> 
> Liferay is prone to cross site scripting flaw. Almost all the fields
> that takes 
> input from one user and are displayed on another user's screen can be
> tricked to 
> execute java script code.
> 
> Test:
> Add a message with subject &lt;script&gt;history.go(-1)&lt;/script&gt;
> Now, no user can see message board.
> 
> Vendor Response:
> Vendor was notified on 14/01/2004. No fix have been released yet.
> 
> 
> Recommendation:
> 
> While saving or displaying the data:
> replace &,<,> etc with &amp;,&lt; and &gt; respectively.
> 
> 
> Regards,
> Sandeep Giri
> 


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic