Cross site scripting (XSS) in Liferay

掲示板

7年前に H H によって更新されました。

Cross site scripting (XSS) in Liferay

New Member 投稿: 6 参加年月日: 16/03/31 最新の投稿

Dear all,

I am evaluating Liferay Community Edition 6.2 GA6 in a staff intranet development project.

The web scan from acunetix reported that it is vulnerable to Cross Site Scripting (XSS) attacks:

Request 1 - 200 ok:

/group/control_panel/manage?doAsGroupId=24901"&gt;<script>prompt(968134)</script>&amp;...

I found that the original url appear in the response page without escaping those scripting characters:

<input name="mpClientURL" type="hidden" value="https://localhost:8443/group/control_panel/manage?doAsGroupId=24901"><script>prompt(968134)</script>&amp;p_p_auth=AxHv2RdZ&amp;p_p_id=1_WAR_marketplaceportlet&amp;p_p_lifecycle=0&amp;refererPlid=24904"&gt;

Request 2 - 404 not found

/combo"&gt;<script>prompt(943808)</script>

original url without escaping scripting characters can be found too:

<meta property="og:url" content="https://localhost:8443/combo"><script>prompt(943808)</script>/" /&gt;

It is a very common type of XSS attack, I would expect that Liferay Portal should have handled that. Actually I cannot find any official documentation and guideline for XSS prevention.

In liferay community security team page, there is no item under the section KNOWN VULNERABILITIES for version 6.2 GA6

Can anyone provide some guideline for XSS issue in Liferay? Thank you very much.

7年前に Samuel Kong によって更新されました。

RE: Cross site scripting (XSS) in Liferay

Liferay Legend 投稿: 1902 参加年月日: 08/03/10 最新の投稿

Hi H H,

I need a little more information to diagnose the issue. As per https://www.liferay.com/security-statement, can you contact Liferay at security@liferay.com or create a ticket on issues.liferay.com.

BTW, do you have any customization? Looking at what you posted, this may be related to your custom code.

7年前に H H によって更新されました。

RE: Cross site scripting (XSS) in Liferay

New Member 投稿: 6 参加年月日: 16/03/31 最新の投稿

Dear Samuel,

After reviewing the scan report and Liferay source code, I found the source of problem.

The script in Request 1 come from Marketplace Portlet under "marketplace-portlet/docroot/store/view.jsp"

<input name="mpClientURL" type="hidden" value="<%= themeDisplay.getPortalURL() + themeDisplay.getURLCurrent() %>">

The script in Request 2 come from a customized theme portlet.

The issue can be resolved by modifying the source code, thank you.

7年前に Olaf Kock によって更新されました。

RE: Cross site scripting (XSS) in Liferay

Liferay Legend 投稿: 6403 参加年月日: 08/09/23 最新の投稿

With a quick try I couldn't reproduce. If you can give the full steps and full URLs to reproduce, please file an issue on issues.liferay.com, mark it as security relevant. The full procedure is on https://dev.liferay.com/web/community-security-team/process.

Note though that now that Liferay 7 CE is out, there probably will be no more update to 6.2