Kombinierte Ansicht Flache Ansicht Baumansicht
Threads [ Zurück | Nächste ]
toggle
Vishal Kumar
OS Command Injection, LDAP and XPath injection flaws
12. Dezember 2012 22:10
Antwort

Vishal Kumar

Rang: Regular Member

Nachrichten: 198

Eintrittsdatum: 11. Dezember 2012

Neue Beiträge

Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws
Hitoshi Ozawa
RE: OS Command Injection, LDAP and XPath injection flaws
30. Dezember 2012 21:37
Antwort

Hitoshi Ozawa

Rang: Liferay Legend

Nachrichten: 7949

Eintrittsdatum: 23. März 2010

Neue Beiträge

If you find any security flaw, please create a new liferay issue in the jira.
Vishal Kumar
RE: OS Command Injection, LDAP and XPath injection flaws
31. Dezember 2012 00:00
Antwort

Vishal Kumar

Rang: Regular Member

Nachrichten: 198

Eintrittsdatum: 11. Dezember 2012

Neue Beiträge

Hitoshi Ozawa:
If you find any security flaw, please create a new liferay issue in the jira.


Definitely Hitoshi.
Thanks for the reply.
David H Nebinger
RE: OS Command Injection, LDAP and XPath injection flaws
31. Dezember 2012 05:48
Antwort

David H Nebinger

Community Moderator

Rang: Liferay Legend

Nachrichten: 11464

Eintrittsdatum: 1. September 2006

Neue Beiträge

Vishal Kumar:
Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws


Liferay does not allow you to invoke any OS commands directly, so you're good there.

There is no direct connection between what the user can do and LDAP (LDAP is sync'd w/ user profile changes, so as long as the user profile change passes validation, the data is valid and will be pushed indirectly to LDAP), so you're good there.

Liferay does not allow you to invoke any XPath type queries directly, so you should be good there too.

Most of the time these kinds of security problems would be introduced by your own custom portlets exposing this kind of functionality. I'd suggest doing security reviews of your own code over the Liferay core.