Re: Liferay Cross Site Scripting Flaw

[michael young <myoung () liferay com>]

In-Reply-To: <A2A3422FEEB89D4DBFDF7692B7C737BACED1 () mshyd2 hyd deshaw com>

The scripting flaw as been fixed as of version 2.2.0 release 10/1/2004. We urge all parties to upgrade their 
deployments. 

> Received: (qmail 21320 invoked from network); 22 May 2004 22:20:19 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 22 May 2004 22:20:19 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 88099143702; Sun, 23 May 2004 00:22:47 -0600 (MDT)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 6451 invoked from network); 22 May 2004 04:15:04 -0000
> content-class: urn:content-classes:message
> MIME-Version: 1.0
> Content-Type: text/plain;
>       charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
> Subject: Liferay Cross Site Scripting Flaw
> Date: Sat, 22 May 2004 16:00:27 +0530
> Message-ID: <A2A3422FEEB89D4DBFDF7692B7C737BACED1 () mshyd2 hyd deshaw com>
> X-MS-Has-Attach: 
> X-MS-TNEF-Correlator: 
> Thread-Topic: Liferay Cross Site Scripting Flaw
> Thread-Index: AcPmpUmE91+L5WoMTe2EuP69XNlV6BZO3dmg
> From: "Giri, Sandeep" <giris () deshaw com>
> To: <bugtraq () securityfocus com>
>
> Advisory Name: Liferay Cross Site Scripting flaw
> Release Date: 05/22/2004
>  Application: Liferay (www.liferay.com)
>       Author: Sandeep Giri
> Vendor Status: Notified ( 4 months ago)
>
> Overview:
> (Taken from http://www.liferay.com/products/index.jsp)
>
> Liferay Enterprise Portal was designed to:
>
> Provide organizations with a single sign-on web interface for email,
> document=20
> management, message board, and other useful communication tools.
> Multiple=20
> authentication schemes (LDAP or SQL) are pooled together so users don't
> have=20
> to remember a different login and password for every section of the
> portal.
> ...
>
> Details:
>
> Liferay is prone to cross site scripting flaw. Almost all the fields
> that takes=20
> input from one user and are displayed on another user's screen can be
> tricked to=20
> execute java script code.
>
> Test:
> Add a message with subject &lt;script&gt;history.go(-1)&lt;/script&gt;
> Now, no user can see message board.
>
> Vendor Response:
> Vendor was notified on 14/01/2004. No fix have been released yet.
>
>
> Recommendation:
>
> While saving or displaying the data:
> replace &,<,> etc with &amp;,&lt; and &gt; respectively.
>
>
> Regards,
> Sandeep Giri