Foros de discusión

  1. Inicio
  2. Portal
  3. Help me with my security vulnerability

Help me with my security vulnerability

Crucifix Light, modificado hace 7 años.

Help me with my security vulnerability

New Member Mensajes: 6 Fecha de incorporación: 14/07/13 Mensajes recientes
Hi,
I would like to seek help on how to resolve my challenge in my application. Our team conducted a vulnerability scan and found a XSS vulnerability. Here is what is stated.

By changing the url and injected into the "t" URL parameter (Using method GET) in

https://xxx.xxx.xxx.xxx/html/css/main.css?browserId=ie&themeId=envision_WAR_envisiontheme&languageId=en_US&b=6102&t=\">script>630046416

How can I solve this? Please point me in the right direction.

Thanks.

Note:
I am using Liferay 6.1
and Liferay is behind a proxy
thumbnail
David H Nebinger, modificado hace 7 años.

RE: Help me with my security vulnerability (Respuesta)

Liferay Legend Mensajes: 14919 Fecha de incorporación: 2/09/06 Mensajes recientes
There is no vulnerability here.

You're fetching a css file, the t= parameter is a timestamp value to get around caching browsers to use a new value.

This line doesn't do anything, is not exposing anything, is not storing anything on the server and is effectively a false positive.







Come meet me at the LSNA!
Crucifix Light, modificado hace 7 años.

RE: Help me with my security vulnerability

New Member Mensajes: 6 Fecha de incorporación: 14/07/13 Mensajes recientes
Thank you very much Sir.

Very much appreciated.
thumbnail
David H Nebinger, modificado hace 7 años.

RE: Help me with my security vulnerability

Liferay Legend Mensajes: 14919 Fecha de incorporación: 2/09/06 Mensajes recientes
Yeah, a lot of the automated scans will generate false positives; the security folks don't realize it because they won't necessarily understand Liferay.

When going through their list you have to look at the full URL and understand the context during it's processing. This one, for example, should be clear even to them - you're requesting a CSS file using an HTTP GET request; it's not going to matter what the heck they tack on there, it's not going to inject code or affect either the browser or server.







Come meet me at the LSNA!
Hugh Kelley, modificado hace 6 años.

RE: Help me with my security vulnerability

New Member Mensaje: 1 Fecha de incorporación: 8/11/16 Mensajes recientes
Is there a vulnerability scanner that you recommend for Liferay - something without the false positives that may come from a generic tool?