掲示板
Cross site scripting (XSS) in Liferay
Dear all,
I am evaluating Liferay Community Edition 6.2 GA6 in a staff intranet development project.
The web scan from acunetix reported that it is vulnerable to Cross Site Scripting (XSS) attacks:
Request 1 - 200 ok:
I found that the original url appear in the response page without escaping those scripting characters:
Request 2 - 404 not found
original url without escaping scripting characters can be found too:
It is a very common type of XSS attack, I would expect that Liferay Portal should have handled that. Actually I cannot find any official documentation and guideline for XSS prevention.
In liferay community security team page, there is no item under the section KNOWN VULNERABILITIES for version 6.2 GA6
Can anyone provide some guideline for XSS issue in Liferay? Thank you very much.
I am evaluating Liferay Community Edition 6.2 GA6 in a staff intranet development project.
The web scan from acunetix reported that it is vulnerable to Cross Site Scripting (XSS) attacks:
Request 1 - 200 ok:
/group/control_panel/manage?doAsGroupId=24901"><script>prompt(968134)</script>&...
I found that the original url appear in the response page without escaping those scripting characters:
<input name="mpClientURL" type="hidden" value="https://localhost:8443/group/control_panel/manage?doAsGroupId=24901"><script>prompt(968134)</script>&p_p_auth=AxHv2RdZ&p_p_id=1_WAR_marketplaceportlet&p_p_lifecycle=0&refererPlid=24904">
Request 2 - 404 not found
/combo"><script>prompt(943808)</script>
original url without escaping scripting characters can be found too:
<meta property="og:url" content="https://localhost:8443/combo"><script>prompt(943808)</script>/" />
It is a very common type of XSS attack, I would expect that Liferay Portal should have handled that. Actually I cannot find any official documentation and guideline for XSS prevention.
In liferay community security team page, there is no item under the section KNOWN VULNERABILITIES for version 6.2 GA6
Can anyone provide some guideline for XSS issue in Liferay? Thank you very much.
7年前 に Samuel Kong によって更新されました。
RE: Cross site scripting (XSS) in Liferay
Liferay Legend 投稿: 1902 参加年月日: 08/03/10 最新の投稿
Hi H H,
I need a little more information to diagnose the issue. As per https://www.liferay.com/security-statement, can you contact Liferay at security@liferay.com or create a ticket on issues.liferay.com.
BTW, do you have any customization? Looking at what you posted, this may be related to your custom code.
I need a little more information to diagnose the issue. As per https://www.liferay.com/security-statement, can you contact Liferay at security@liferay.com or create a ticket on issues.liferay.com.
BTW, do you have any customization? Looking at what you posted, this may be related to your custom code.
7年前 に H H によって更新されました。
RE: Cross site scripting (XSS) in Liferay
New Member 投稿: 6 参加年月日: 16/03/31 最新の投稿
Dear Samuel,
After reviewing the scan report and Liferay source code, I found the source of problem.
The script in Request 1 come from Marketplace Portlet under "marketplace-portlet/docroot/store/view.jsp"
The script in Request 2 come from a customized theme portlet.
The issue can be resolved by modifying the source code, thank you.
After reviewing the scan report and Liferay source code, I found the source of problem.
The script in Request 1 come from Marketplace Portlet under "marketplace-portlet/docroot/store/view.jsp"
<input name="mpClientURL" type="hidden" value="<%= themeDisplay.getPortalURL() + themeDisplay.getURLCurrent() %>">
The script in Request 2 come from a customized theme portlet.
The issue can be resolved by modifying the source code, thank you.
7年前 に Olaf Kock によって更新されました。
RE: Cross site scripting (XSS) in Liferay
Liferay Legend 投稿: 6403 参加年月日: 08/09/23 最新の投稿
With a quick try I couldn't reproduce. If you can give the full steps and full URLs to reproduce, please file an issue on issues.liferay.com, mark it as security relevant. The full procedure is on https://dev.liferay.com/web/community-security-team/process.
Note though that now that Liferay 7 CE is out, there probably will be no more update to 6.2
Note though that now that Liferay 7 CE is out, there probably will be no more update to 6.2