lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 22 May 2004 16:00:27 +0530 From: "Giri, Sandeep" <giris@...haw.com> To: <bugtraq@...urityfocus.com> Subject: Liferay Cross Site Scripting Flaw Advisory Name: Liferay Cross Site Scripting flaw Release Date: 05/22/2004 Application: Liferay (www.liferay.com) Author: Sandeep Giri Vendor Status: Notified ( 4 months ago) Overview: (Taken from http://www.liferay.com/products/index.jsp) Liferay Enterprise Portal was designed to: Provide organizations with a single sign-on web interface for email, document management, message board, and other useful communication tools. Multiple authentication schemes (LDAP or SQL) are pooled together so users don't have to remember a different login and password for every section of the portal. ... Details: Liferay is prone to cross site scripting flaw. Almost all the fields that takes input from one user and are displayed on another user's screen can be tricked to execute java script code. Test: Add a message with subject <script>history.go(-1)</script> Now, no user can see message board. Vendor Response: Vendor was notified on 14/01/2004. No fix have been released yet. Recommendation: While saving or displaying the data: replace &,<,> etc with &,< and > respectively. Regards, Sandeep Giri
Powered by blists - more mailing lists