BugTraq
Back to list
|
Post reply
Re: Liferay Cross Site Scripting Flaw
Nov 25 2004 04:27PM
michael young (myoung liferay com)
In-Reply-To: <A2A3422FEEB89D4DBFDF7692B7C737BACED1 (at) mshyd2.hyd.deshaw (dot) com [email concealed]>
The scripting flaw as been fixed as of version 2.2.0 release 10/1/2004. We urge all parties to upgrade their deployments.
>Received: (qmail 21320 invoked from network); 22 May 2004 22:20:19 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 22 May 2004 22:20:19 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 88099143702; Sun, 23 May 2004 00:22:47 -0600 (MDT)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 6451 invoked from network); 22 May 2004 04:15:04 -0000
>content-class: urn:content-classes:message
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
>Subject: Liferay Cross Site Scripting Flaw
>Date: Sat, 22 May 2004 16:00:27 +0530
>Message-ID: <A2A3422FEEB89D4DBFDF7692B7C737BACED1 (at) mshyd2.hyd.deshaw (dot) com [email concealed]>
>X-MS-Has-Attach:
>X-MS-TNEF-Correlator:
>Thread-Topic: Liferay Cross Site Scripting Flaw
>Thread-Index: AcPmpUmE91+L5WoMTe2EuP69XNlV6BZO3dmg
>From: "Giri, Sandeep" <giris (at) deshaw (dot) com [email concealed]>
>To: <bugtraq (at) securityfocus (dot) com [email concealed]>
>
>Advisory Name: Liferay Cross Site Scripting flaw
> Release Date: 05/22/2004
> Application: Liferay (www.liferay.com)
> Author: Sandeep Giri
>Vendor Status: Notified ( 4 months ago)
>
>Overview:
>(Taken from http://www.liferay.com/products/index.jsp)
>
>Liferay Enterprise Portal was designed to:
>
>Provide organizations with a single sign-on web interface for email,
>document=20
>management, message board, and other useful communication tools.
>Multiple=20
>authentication schemes (LDAP or SQL) are pooled together so users don't
>have=20
>to remember a different login and password for every section of the
>portal.
>...
>
>Details:
>
>Liferay is prone to cross site scripting flaw. Almost all the fields
>that takes=20
>input from one user and are displayed on another user's screen can be
>tricked to=20
>execute java script code.
>
>Test:
>Add a message with subject <script>history.go(-1)</script>
>Now, no user can see message board.
>
>Vendor Response:
>Vendor was notified on 14/01/2004. No fix have been released yet.
>
>
>Recommendation:
>
>While saving or displaying the data:
>replace &,<,> etc with &,< and > respectively.
>
>
>Regards,
>Sandeep Giri
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
The scripting flaw as been fixed as of version 2.2.0 release 10/1/2004. We urge all parties to upgrade their deployments.
>Received: (qmail 21320 invoked from network); 22 May 2004 22:20:19 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 22 May 2004 22:20:19 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 88099143702; Sun, 23 May 2004 00:22:47 -0600 (MDT)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 6451 invoked from network); 22 May 2004 04:15:04 -0000
>content-class: urn:content-classes:message
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
>Subject: Liferay Cross Site Scripting Flaw
>Date: Sat, 22 May 2004 16:00:27 +0530
>Message-ID: <A2A3422FEEB89D4DBFDF7692B7C737BACED1 (at) mshyd2.hyd.deshaw (dot) com [email concealed]>
>X-MS-Has-Attach:
>X-MS-TNEF-Correlator:
>Thread-Topic: Liferay Cross Site Scripting Flaw
>Thread-Index: AcPmpUmE91+L5WoMTe2EuP69XNlV6BZO3dmg
>From: "Giri, Sandeep" <giris (at) deshaw (dot) com [email concealed]>
>To: <bugtraq (at) securityfocus (dot) com [email concealed]>
>
>Advisory Name: Liferay Cross Site Scripting flaw
> Release Date: 05/22/2004
> Application: Liferay (www.liferay.com)
> Author: Sandeep Giri
>Vendor Status: Notified ( 4 months ago)
>
>Overview:
>(Taken from http://www.liferay.com/products/index.jsp)
>
>Liferay Enterprise Portal was designed to:
>
>Provide organizations with a single sign-on web interface for email,
>document=20
>management, message board, and other useful communication tools.
>Multiple=20
>authentication schemes (LDAP or SQL) are pooled together so users don't
>have=20
>to remember a different login and password for every section of the
>portal.
>...
>
>Details:
>
>Liferay is prone to cross site scripting flaw. Almost all the fields
>that takes=20
>input from one user and are displayed on another user's screen can be
>tricked to=20
>execute java script code.
>
>Test:
>Add a message with subject <script>history.go(-1)</script>
>Now, no user can see message board.
>
>Vendor Response:
>Vendor was notified on 14/01/2004. No fix have been released yet.
>
>
>Recommendation:
>
>While saving or displaying the data:
>replace &,<,> etc with &,< and > respectively.
>
>
>Regards,
>Sandeep Giri
>
[ reply ]