留言板

  1. 主页
  2. Portal
  3. Help me with my security vulnerability

Help me with my security vulnerability

Crucifix Light,修改在7 年前。

Help me with my security vulnerability

New Member 帖子: 6 加入日期: 13-7-14 最近的帖子
Hi,
I would like to seek help on how to resolve my challenge in my application. Our team conducted a vulnerability scan and found a XSS vulnerability. Here is what is stated.

By changing the url and injected into the "t" URL parameter (Using method GET) in

https://xxx.xxx.xxx.xxx/html/css/main.css?browserId=ie&themeId=envision_WAR_envisiontheme&languageId=en_US&b=6102&t=\">script>630046416

How can I solve this? Please point me in the right direction.

Thanks.

Note:
I am using Liferay 6.1
and Liferay is behind a proxy
thumbnail
David H Nebinger,修改在7 年前。

RE: Help me with my security vulnerability (答复)

Liferay Legend 帖子: 14919 加入日期: 06-9-2 最近的帖子
There is no vulnerability here.

You're fetching a css file, the t= parameter is a timestamp value to get around caching browsers to use a new value.

This line doesn't do anything, is not exposing anything, is not storing anything on the server and is effectively a false positive.







Come meet me at the LSNA!
Crucifix Light,修改在7 年前。

RE: Help me with my security vulnerability

New Member 帖子: 6 加入日期: 13-7-14 最近的帖子
Thank you very much Sir.

Very much appreciated.
thumbnail
David H Nebinger,修改在7 年前。

RE: Help me with my security vulnerability

Liferay Legend 帖子: 14919 加入日期: 06-9-2 最近的帖子
Yeah, a lot of the automated scans will generate false positives; the security folks don't realize it because they won't necessarily understand Liferay.

When going through their list you have to look at the full URL and understand the context during it's processing. This one, for example, should be clear even to them - you're requesting a CSS file using an HTTP GET request; it's not going to matter what the heck they tack on there, it's not going to inject code or affect either the browser or server.







Come meet me at the LSNA!
Hugh Kelley,修改在6 年前。

RE: Help me with my security vulnerability

New Member 发布: 1 加入日期: 16-11-8 最近的帖子
Is there a vulnerability scanner that you recommend for Liferay - something without the false positives that may come from a generic tool?