OS Command Injection, LDAP and XPath injection flaws

Foren

Vishal Kumar, geändert vor 11 Jahren.

OS Command Injection, LDAP and XPath injection flaws

Regular Member Beiträge: 198 Beitrittsdatum: 12.12.12 Neueste Beiträge

Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws

Hitoshi Ozawa, geändert vor 11 Jahren.

RE: OS Command Injection, LDAP and XPath injection flaws

Liferay Legend Beiträge: 7942 Beitrittsdatum: 24.03.10 Neueste Beiträge

If you find any security flaw, please create a new liferay issue in the jira.

Vishal Kumar, geändert vor 11 Jahren.

RE: OS Command Injection, LDAP and XPath injection flaws

Regular Member Beiträge: 198 Beitrittsdatum: 12.12.12 Neueste Beiträge

Hitoshi Ozawa:

If you find any security flaw, please create a new liferay issue in the jira.

Definitely Hitoshi.
Thanks for the reply.

David H Nebinger, geändert vor 11 Jahren.

RE: OS Command Injection, LDAP and XPath injection flaws

Liferay Legend Beiträge: 14916 Beitrittsdatum: 02.09.06 Neueste Beiträge

Vishal Kumar:

Is liferay 6.1 CE GA2 automatically able to stop -
1) OS Command Injection,
2) LDAP Injection
3) XPath injection flaws as well as other injection flaws

Liferay does not allow you to invoke any OS commands directly, so you're good there.

There is no direct connection between what the user can do and LDAP (LDAP is sync'd w/ user profile changes, so as long as the user profile change passes validation, the data is valid and will be pushed indirectly to LDAP), so you're good there.

Liferay does not allow you to invoke any XPath type queries directly, so you should be good there too.

Most of the time these kinds of security problems would be introduced by your own custom portlets exposing this kind of functionality. I'd suggest doing security reviews of your own code over the Liferay core.