留言板
XSS in Liferay with Java Server Face 2.1
Greetings to all. This is English translator.
My application is java server face 2.1 and primefaces 3.5
safety tests are inserting the following script (XSS) on request: _LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__facesViewIdResource = / views / loginsucursalvirtual / View.xhtml]]> </ ErrorMessage> <EvilTag> NeoSecure_Octubre2016 < / EvilTag> <ErrorMessage> <! [CDATA [viewId!:
Finally, the request is like: http: // IP: PORT / web / company / home p_p_cacheability = cacheLevelPage & p_p_col_count = 2 & p_p_col_id = column-?1 & p_p_col_pos = 1 & p_p_id = LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet & p_p_lifecycle = 2 & p_p_mode = view & p_p_state = normal & _LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__facesViewIdResource = / views / loginsucursalvirtual / View.xhtml% 5D% 5D% 3E% 3C / errormessage% 3E% 3CEvilTag% 3ENeoSecure_Octubre2016% 3C / EvilTag% 3E% 3Cerrormessage% 3E% 3C!% 5BCDATA% 5BviewId: & _ LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__jsfBridgeAjax = true & A4284% 3Aj_idt8 = A4284% 3Aj_idt8 & A4284% 3Aj_idt8% 3Aj_idt19 = A4284% 3Aj_idt8% 3Aj_idt19 & A4284% 3Aj_idt8% 3Apassword = xxxxx & A4284% 3Aj_idt8% 3Arut = xxxxx & javax.faces.encodedURL=http%3A%2F%2FIP%3APORT%2Fweb%2Fcompany%2Fhome%3Fp_p_id%3DLoginSucursalVirtual_WAR_LoginSucursalVirtualportlet% 26p_p_lifecycle% 3D2% 26p_p_state% 3Dnormal% 26p_p_mode% 3Dview% 26p_p_cacheability% 3DcacheLevelPage% 26p_p_col_id% 3Dcolumn-1%26p_p_col_count%3D2%26p_p_col_pos%3D1%26_LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__jsfBridgeAjax% 3Dtrue% 26_LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__facesViewIdResource%3D%252Fviews%252Floginsucursalvirtual%252Fview.xhtml & javax.faces.partial.ajax = true & javax.faces.partial.execute =% 40all & javax.faces.source = A4284% 3Aj_idt8% 3Aj_idt19 & javax.faces.ViewState = -764305338050689266% 3A8833452760774064468
as I can prevent parameter is inserted at the request of Liferay with JSF?
Thank you.
My application is java server face 2.1 and primefaces 3.5
safety tests are inserting the following script (XSS) on request: _LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__facesViewIdResource = / views / loginsucursalvirtual / View.xhtml]]> </ ErrorMessage> <EvilTag> NeoSecure_Octubre2016 < / EvilTag> <ErrorMessage> <! [CDATA [viewId!:
Finally, the request is like: http: // IP: PORT / web / company / home p_p_cacheability = cacheLevelPage & p_p_col_count = 2 & p_p_col_id = column-?1 & p_p_col_pos = 1 & p_p_id = LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet & p_p_lifecycle = 2 & p_p_mode = view & p_p_state = normal & _LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__facesViewIdResource = / views / loginsucursalvirtual / View.xhtml% 5D% 5D% 3E% 3C / errormessage% 3E% 3CEvilTag% 3ENeoSecure_Octubre2016% 3C / EvilTag% 3E% 3Cerrormessage% 3E% 3C!% 5BCDATA% 5BviewId: & _ LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__jsfBridgeAjax = true & A4284% 3Aj_idt8 = A4284% 3Aj_idt8 & A4284% 3Aj_idt8% 3Aj_idt19 = A4284% 3Aj_idt8% 3Aj_idt19 & A4284% 3Aj_idt8% 3Apassword = xxxxx & A4284% 3Aj_idt8% 3Arut = xxxxx & javax.faces.encodedURL=http%3A%2F%2FIP%3APORT%2Fweb%2Fcompany%2Fhome%3Fp_p_id%3DLoginSucursalVirtual_WAR_LoginSucursalVirtualportlet% 26p_p_lifecycle% 3D2% 26p_p_state% 3Dnormal% 26p_p_mode% 3Dview% 26p_p_cacheability% 3DcacheLevelPage% 26p_p_col_id% 3Dcolumn-1%26p_p_col_count%3D2%26p_p_col_pos%3D1%26_LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__jsfBridgeAjax% 3Dtrue% 26_LoginSucursalVirtual_WAR_LoginSucursalVirtualportlet__facesViewIdResource%3D%252Fviews%252Floginsucursalvirtual%252Fview.xhtml & javax.faces.partial.ajax = true & javax.faces.partial.execute =% 40all & javax.faces.source = A4284% 3Aj_idt8% 3Aj_idt19 & javax.faces.ViewState = -764305338050689266% 3A8833452760774064468
as I can prevent parameter is inserted at the request of Liferay with JSF?
Thank you.
Neil Griffin,修改在7 年前。
RE: XSS in Liferay with Java Server Face 2.1
Liferay Legend 帖子: 2655 加入日期: 05-7-27 最近的帖子
Hi David,
The error message indicates that you are trying to perform a login with XHR (perhaps with f:ajax in your view) which will not work. Instead, the login needs to take place with full page HTTP postback.
I recommend that you try our jsf-login-portlet demo. The source can be found at GitHub and the Liferay Portal 7.0 version and Liferay Portal 6.2 version can be downloaded from Maven Central as downloadable wars that you can copy to $LIFERAY_HOME/deploy in order to try in your environment.
Kind Regards,
Neil
The error message indicates that you are trying to perform a login with XHR (perhaps with f:ajax in your view) which will not work. Instead, the login needs to take place with full page HTTP postback.
I recommend that you try our jsf-login-portlet demo. The source can be found at GitHub and the Liferay Portal 7.0 version and Liferay Portal 6.2 version can be downloaded from Maven Central as downloadable wars that you can copy to $LIFERAY_HOME/deploy in order to try in your environment.
Kind Regards,
Neil