Foren

  1. Startseite
  2. Development
  3. XSS and CSRF vulnerabilties in liferay 4.2.1

XSS and CSRF vulnerabilties in liferay 4.2.1

kavitha sama, geändert vor 7 Jahren.

XSS and CSRF vulnerabilties in liferay 4.2.1

New Member Beiträge: 2 Beitrittsdatum: 02.05.12 Neueste Beiträge
Hi.. Iam using liferay 4.2.1 and observed that Liferay portal is vulnerable to XSS and CSRF vulnerabilities.
Please let me know how to fix these vulnerabilities and in which liferay version has the vulnerability fixes.
Need help urgently.

Thanks in advance.
Kavitha Sama
thumbnail
Olaf Kock, geändert vor 7 Jahren.

RE: XSS and CSRF vulnerabilties in liferay 4.2.1

Liferay Legend Beiträge: 6403 Beitrittsdatum: 23.09.08 Neueste Beiträge
kavitha sama:
Hi.. Iam using liferay 4.2.1 and observed that Liferay portal is vulnerable to XSS and CSRF vulnerabilities.
Please let me know how to fix these vulnerabilities and in which liferay version has the vulnerability fixes.


4.2.1 was released in January 2007, that's more than 10 years ago.

You're asking for the version which has "these" vulnerabilities fixed, without naming them - however, I doubt someone would try it out and install this version of Liferay. I'm not aware of any XSS and CSRF vulnerabilities in Liferay 7 and Liferay DXP, so it would be safe to say that these versions have them fixed, whatever they were. And those are the ones that still receive updates.
Marc Lazatin, geändert vor 6 Jahren.

RE: XSS and CSRF vulnerabilties in liferay 4.2.1

New Member Beiträge: 3 Beitrittsdatum: 29.05.15 Neueste Beiträge
Hi,

We are using liferay 6.2. Base from other thread, by default, liferay adds the "p_auth" on url which is a portal authentication token to prevent CSRF attack but the vulnerability test still indicates that the portal is vulnerable to cross site request forgery. Do we have to apply some patches or deploy a hook to prevent CSRF on the our prtal?

Thanks in advance.
thumbnail
Olaf Kock, geändert vor 6 Jahren.

RE: XSS and CSRF vulnerabilties in liferay 4.2.1

Liferay Legend Beiträge: 6403 Beitrittsdatum: 23.09.08 Neueste Beiträge
Marc Lazatin:
We are using liferay 6.2.

...

Do we have to apply some patches or deploy a hook to prevent CSRF on the our prtal?


Two questions:
  • Which 6.2.x?
  • Is this something that a tool reports, or can you reproduce the vulnerability? I've seen numerous false positives generated by automated tools.


In case you can reproduce:
For 6.2 CE: There won't be any update any more, try reproducing in 7.0.
For 6.2 EE: Check if it's fixed in the latest fixpack/servicepack. Open a ticket with support if it is not.
For 7.0 GA4 (CE): Check https://liferay.com/security and open an issue
For DXP: Open a ticket with support.
Marc Lazatin, geändert vor 6 Jahren.

RE: XSS and CSRF vulnerabilties in liferay 4.2.1

New Member Beiträge: 3 Beitrittsdatum: 29.05.15 Neueste Beiträge
We are using 6.2 EE.
Yes, I believe the Vulnerability test team used Burp tool and we can reproduce them. Alright Olaf, we'll follow first your advise. Thank you! emoticon
thumbnail
Juan Gonzalez, geändert vor 7 Jahren.

RE: XSS and CSRF vulnerabilties in liferay 4.2.1

Liferay Legend Beiträge: 3089 Beitrittsdatum: 28.10.08 Neueste Beiträge
kavitha sama:

Hi.. Iam using liferay 4.2.1

kavitha sama:

Need help urgently.


Hi Kavitha.

Sorry but having such an old version and "need help urgently" in same phrase sounds incoherent for me.

As Olaf said, try newer versions to see if those are fixed (as he said, problably all of them are).