掲示板

  1. ホーム
  2. Development
  3. XSS and CSRF vulnerabilties in liferay 4.2.1

XSS and CSRF vulnerabilties in liferay 4.2.1

7年前 に kavitha sama によって更新されました。

XSS and CSRF vulnerabilties in liferay 4.2.1

New Member 投稿: 2 参加年月日: 12/05/02 最新の投稿
Hi.. Iam using liferay 4.2.1 and observed that Liferay portal is vulnerable to XSS and CSRF vulnerabilities.
Please let me know how to fix these vulnerabilities and in which liferay version has the vulnerability fixes.
Need help urgently.

Thanks in advance.
Kavitha Sama
thumbnail
7年前 に Olaf Kock によって更新されました。

RE: XSS and CSRF vulnerabilties in liferay 4.2.1

Liferay Legend 投稿: 6400 参加年月日: 08/09/23 最新の投稿
kavitha sama:
Hi.. Iam using liferay 4.2.1 and observed that Liferay portal is vulnerable to XSS and CSRF vulnerabilities.
Please let me know how to fix these vulnerabilities and in which liferay version has the vulnerability fixes.


4.2.1 was released in January 2007, that's more than 10 years ago.

You're asking for the version which has "these" vulnerabilities fixed, without naming them - however, I doubt someone would try it out and install this version of Liferay. I'm not aware of any XSS and CSRF vulnerabilities in Liferay 7 and Liferay DXP, so it would be safe to say that these versions have them fixed, whatever they were. And those are the ones that still receive updates.
6年前 に Marc Lazatin によって更新されました。

RE: XSS and CSRF vulnerabilties in liferay 4.2.1

New Member 投稿: 3 参加年月日: 15/05/29 最新の投稿
Hi,

We are using liferay 6.2. Base from other thread, by default, liferay adds the "p_auth" on url which is a portal authentication token to prevent CSRF attack but the vulnerability test still indicates that the portal is vulnerable to cross site request forgery. Do we have to apply some patches or deploy a hook to prevent CSRF on the our prtal?

Thanks in advance.
thumbnail
6年前 に Olaf Kock によって更新されました。

RE: XSS and CSRF vulnerabilties in liferay 4.2.1

Liferay Legend 投稿: 6400 参加年月日: 08/09/23 最新の投稿
Marc Lazatin:
We are using liferay 6.2.

...

Do we have to apply some patches or deploy a hook to prevent CSRF on the our prtal?


Two questions:
  • Which 6.2.x?
  • Is this something that a tool reports, or can you reproduce the vulnerability? I've seen numerous false positives generated by automated tools.


In case you can reproduce:
For 6.2 CE: There won't be any update any more, try reproducing in 7.0.
For 6.2 EE: Check if it's fixed in the latest fixpack/servicepack. Open a ticket with support if it is not.
For 7.0 GA4 (CE): Check https://liferay.com/security and open an issue
For DXP: Open a ticket with support.
6年前 に Marc Lazatin によって更新されました。

RE: XSS and CSRF vulnerabilties in liferay 4.2.1

New Member 投稿: 3 参加年月日: 15/05/29 最新の投稿
We are using 6.2 EE.
Yes, I believe the Vulnerability test team used Burp tool and we can reproduce them. Alright Olaf, we'll follow first your advise. Thank you! emoticon
thumbnail
7年前 に Juan Gonzalez によって更新されました。

RE: XSS and CSRF vulnerabilties in liferay 4.2.1

Liferay Legend 投稿: 3089 参加年月日: 08/10/28 最新の投稿
kavitha sama:

Hi.. Iam using liferay 4.2.1

kavitha sama:

Need help urgently.


Hi Kavitha.

Sorry but having such an old version and "need help urgently" in same phrase sounds incoherent for me.

As Olaf said, try newer versions to see if those are fixed (as he said, problably all of them are).