Liferay Enterprise Portal is said to be subject to multiple cross site scripting flaws.
6a406562d84aca76726075d51e3b23200851d5566a3bce7dbf86b4d418ad6b38Advisory Name: Liferay Cross Site Scripting flaw
Release Date: 05/22/2004
Application: Liferay (www.liferay.com)
Author: Sandeep Giri
Vendor Status: Notified ( 4 months ago)
Overview:
(Taken from http://www.liferay.com/products/index.jsp)
Liferay Enterprise Portal was designed to:
Provide organizations with a single sign-on web interface for email,
document
management, message board, and other useful communication tools.
Multiple
authentication schemes (LDAP or SQL) are pooled together so users don't
have
to remember a different login and password for every section of the
portal.
...
Details:
Liferay is prone to cross site scripting flaw. Almost all the fields
that takes
input from one user and are displayed on another user's screen can be
tricked to
execute java script code.
Test:
Add a message with subject <script>history.go(-1)</script>
Now, no user can see message board.
Vendor Response:
Vendor was notified on 14/01/2004. No fix have been released yet.
Recommendation:
While saving or displaying the data:
replace &,<,> etc with &,< and > respectively.
Regards,
Sandeep Giri
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed