Tue, 02 Apr 2013 19:48:25 +0000
CST-SA: LPS-33764 Various XSS Issues in Liferay 6.1.1
This fix groups several minor XSS issues discovered in Liferay Portal 6.1.1 in to a single CST patch. The following fixes are included:
LPS-31387 XSS Vulnerability in password reset process' reminder query question field - If a user specifies the following reminder query question as it's own question:
"><script>alert('question')</script> then during the password reset process, the script will be executed when the user passes the captcha and redirected to the reminder query question.
LPS-31411 Announcements: Manage Entries vulnerable to XSS in site names - If a script is present in any site name; when a user clicks Manage Entries in the Announcements portlet, the script will be run.
LPS-31642 XSS Vulnerability in Site membership request form - Ability to execute script injected into site name.
LPS-31644 XSS vulnerability in Custom Fields - ability to execute arbitrary script injected into name of custom fields.
LPS-31778 XSS vulnerability in Dynamic Data Lists
LPS-32064 XSS in My Account's Custom Fields - Ability to execute script injected into name of custom fields for "My Account"
LPS-32201 XSS issue in Portal Instances forms - Ability to execute script injected into name of portal instance, when viewing the list of portal instances in Control Panel.
LPS-32528 Category's Description is not properly escaped in Category view form - Ability to execute script injected into name of asset categories when viewing the list of categories.
LPS-32529 Prevent XSS in Search Portlet Facets - Ability to cause script to be executed by injecting malicious code into a web content category, and viewing it via the faceted search portlet.
LPS-32562 XSS issues in Panel layout type - scripts can be executed by embedding them into name and description of the page when page type is Panel and then displaying the page.
LPS-33183 XSS vulnerability on page which type is "Embedded" - same as LPS-32562 but with page type "Embedded" and the script in the URL field.
LPS-33275 XSS vulnerability in Message Boards categories - Ability to execute scripts that are placed into the name of a subcategory.
Issue Links Note that some or all of these may not yet be accessible. The CST remains committed to full disclosure of all security issues once fully resolved.
See the Community Security Team Process page for details on working with source and binary patches.
Binary Patch Links
Note: The below links point to a download page which contains multiple binary patches with the following naming scheme:
<patch-version>.zip. Be sure to use the latest patch for your Liferay release!
Note: Binary patches only apply to the release with which this issue is associated. Applying a binary patch to any other release will probably result in a broken install!
Source Patch Links
Note that source patches only apply to the release with which this issue is associated. Applying a source patch to any other release will probably result in a broken install! For Github URLs suffixed with
.patch, removing this suffix will yield a graphical view of the patch
This issue contains multiple sub-issues discovered and reported by Hai Yu, Gergely Mathe, Neil Jin, Tom Polesovsky, Vilmos Papp, Laszlo Csontos, Tamas Molnar, Daniel Reuther, and Jeffrey Yang