Web Application Security
Persistent xss liferay enterprise cms Oct 07 2015 05:58AM
Tim Schughart (tim schughart icloud com)
Hey guys,

during a penatrationtest I have found an unknown persistent xss in liferay portal backend. Liferay is already informed.

##################
#General Information#
##################

Manufacture description:
Liferay Portal is an enterprise-web-platform for the development of business solutions, which provides quick results and long-term values.

########
#Details#
########
· Product: Liferay Portal Enterprise Edition (6.2 EE SP13)
· Affected versions : All <= 6.2 EE SP13
· Type of attack: Persistent Cross Site Scripting
· Proof Of Concept: Yes, 6.2 EE SP13
· Authentication required: Yes
· Reason: Missing input validation
· Impact: Injection of malicious JavaScript code

######
#PoC#
######
You have to be authenticated in the administrator backend.
Here you have to browse to the control center:
- In configuration click on portal settings
- Select authentication
- Select ldap
- select add server
- input following code in server name

Value for ldap server name field:
Name_of_ldap_server<script>alert("XSS")</script>

The script is inserted to the configuration page persistent until the ldap server is deleted from database again.

#Protection
Set XSS Header and create Waf rule until its patched.

Best regards / Mit freundlichen Grü�en

Tim Schughart

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus