lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 22 May 2004 16:00:27 +0530
From: "Giri, Sandeep" <giris@...haw.com>
To: <bugtraq@...urityfocus.com>
Subject: Liferay Cross Site Scripting Flaw


Advisory Name: Liferay Cross Site Scripting flaw
 Release Date: 05/22/2004
  Application: Liferay (www.liferay.com)
       Author: Sandeep Giri
Vendor Status: Notified ( 4 months ago)

Overview:
(Taken from http://www.liferay.com/products/index.jsp)

Liferay Enterprise Portal was designed to:

Provide organizations with a single sign-on web interface for email,
document 
management, message board, and other useful communication tools.
Multiple 
authentication schemes (LDAP or SQL) are pooled together so users don't
have 
to remember a different login and password for every section of the
portal.
...

Details:

Liferay is prone to cross site scripting flaw. Almost all the fields
that takes 
input from one user and are displayed on another user's screen can be
tricked to 
execute java script code.

Test:
Add a message with subject <script>history.go(-1)</script>
Now, no user can see message board.

Vendor Response:
Vendor was notified on 14/01/2004. No fix have been released yet.


Recommendation:

While saving or displaying the data:
replace &,<,> etc with &amp;,&lt; and &gt; respectively.


Regards,
Sandeep Giri


Powered by blists - more mailing lists