Foren
OS Command Injection, LDAP and XPath injection flaws
Vishal Kumar, geändert vor 11 Jahren.
OS Command Injection, LDAP and XPath injection flaws
Regular Member Beiträge: 198 Beitrittsdatum: 12.12.12 Neueste Beiträge
Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws
Hitoshi Ozawa, geändert vor 11 Jahren.
RE: OS Command Injection, LDAP and XPath injection flaws
Liferay Legend Beiträge: 7942 Beitrittsdatum: 24.03.10 Neueste Beiträge
If you find any security flaw, please create a new liferay issue in the jira.
Vishal Kumar, geändert vor 11 Jahren.
RE: OS Command Injection, LDAP and XPath injection flaws
Regular Member Beiträge: 198 Beitrittsdatum: 12.12.12 Neueste BeiträgeHitoshi Ozawa:
If you find any security flaw, please create a new liferay issue in the jira.
Definitely Hitoshi.
Thanks for the reply.
David H Nebinger, geändert vor 11 Jahren.
RE: OS Command Injection, LDAP and XPath injection flaws
Liferay Legend Beiträge: 14919 Beitrittsdatum: 02.09.06 Neueste BeiträgeVishal Kumar:
Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws
Liferay does not allow you to invoke any OS commands directly, so you're good there.
There is no direct connection between what the user can do and LDAP (LDAP is sync'd w/ user profile changes, so as long as the user profile change passes validation, the data is valid and will be pushed indirectly to LDAP), so you're good there.
Liferay does not allow you to invoke any XPath type queries directly, so you should be good there too.
Most of the time these kinds of security problems would be introduced by your own custom portlets exposing this kind of functionality. I'd suggest doing security reviews of your own code over the Liferay core.