Fórum

  1. Início
  2. Portal
  3. Help me with my security vulnerability

Help me with my security vulnerability

Crucifix Light, modificado 7 Anos atrás.

Help me with my security vulnerability

New Member Postagens: 6 Data de Entrada: 14/07/13 Postagens Recentes
Hi,
I would like to seek help on how to resolve my challenge in my application. Our team conducted a vulnerability scan and found a XSS vulnerability. Here is what is stated.

By changing the url and injected into the "t" URL parameter (Using method GET) in

https://xxx.xxx.xxx.xxx/html/css/main.css?browserId=ie&themeId=envision_WAR_envisiontheme&languageId=en_US&b=6102&t=\">script>630046416

How can I solve this? Please point me in the right direction.

Thanks.

Note:
I am using Liferay 6.1
and Liferay is behind a proxy
thumbnail
David H Nebinger, modificado 7 Anos atrás.

RE: Help me with my security vulnerability (Resposta)

Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
There is no vulnerability here.

You're fetching a css file, the t= parameter is a timestamp value to get around caching browsers to use a new value.

This line doesn't do anything, is not exposing anything, is not storing anything on the server and is effectively a false positive.







Come meet me at the LSNA!
Crucifix Light, modificado 7 Anos atrás.

RE: Help me with my security vulnerability

New Member Postagens: 6 Data de Entrada: 14/07/13 Postagens Recentes
Thank you very much Sir.

Very much appreciated.
thumbnail
David H Nebinger, modificado 7 Anos atrás.

RE: Help me with my security vulnerability

Liferay Legend Postagens: 14919 Data de Entrada: 02/09/06 Postagens Recentes
Yeah, a lot of the automated scans will generate false positives; the security folks don't realize it because they won't necessarily understand Liferay.

When going through their list you have to look at the full URL and understand the context during it's processing. This one, for example, should be clear even to them - you're requesting a CSS file using an HTTP GET request; it's not going to matter what the heck they tack on there, it's not going to inject code or affect either the browser or server.







Come meet me at the LSNA!
Hugh Kelley, modificado 6 Anos atrás.

RE: Help me with my security vulnerability

New Member Mensagem: 1 Data de Entrada: 08/11/16 Postagens Recentes
Is there a vulnerability scanner that you recommend for Liferay - something without the false positives that may come from a generic tool?