lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041125162753.11380.qmail@www.securityfocus.com>
Date: 25 Nov 2004 16:27:53 -0000
From: michael young <myoung@...eray.com>
To: bugtraq@...urityfocus.com
Subject: Re: Liferay Cross Site Scripting Flaw


In-Reply-To: <A2A3422FEEB89D4DBFDF7692B7C737BACED1@...yd2.hyd.deshaw.com>

The scripting flaw as been fixed as of version 2.2.0 release 10/1/2004. We urge all parties to upgrade their deployments. 

>Received: (qmail 21320 invoked from network); 22 May 2004 22:20:19 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 22 May 2004 22:20:19 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>	by outgoing2.securityfocus.com (Postfix) with QMQP
>	id 88099143702; Sun, 23 May 2004 00:22:47 -0600 (MDT)
>Mailing-List: contact bugtraq-help@...urityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@...urityfocus.com>
>List-Help: <mailto:bugtraq-help@...urityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@...urityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@...urityfocus.com>
>Delivered-To: mailing list bugtraq@...urityfocus.com
>Delivered-To: moderator for bugtraq@...urityfocus.com
>Received: (qmail 6451 invoked from network); 22 May 2004 04:15:04 -0000
>content-class: urn:content-classes:message
>MIME-Version: 1.0
>Content-Type: text/plain;
>	charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
>Subject: Liferay Cross Site Scripting Flaw
>Date: Sat, 22 May 2004 16:00:27 +0530
>Message-ID: <A2A3422FEEB89D4DBFDF7692B7C737BACED1@...yd2.hyd.deshaw.com>
>X-MS-Has-Attach: 
>X-MS-TNEF-Correlator: 
>Thread-Topic: Liferay Cross Site Scripting Flaw
>Thread-Index: AcPmpUmE91+L5WoMTe2EuP69XNlV6BZO3dmg
>From: "Giri, Sandeep" <giris@...haw.com>
>To: <bugtraq@...urityfocus.com>
>
>Advisory Name: Liferay Cross Site Scripting flaw
> Release Date: 05/22/2004
>  Application: Liferay (www.liferay.com)
>       Author: Sandeep Giri
>Vendor Status: Notified ( 4 months ago)
>
>Overview:
>(Taken from http://www.liferay.com/products/index.jsp)
>
>Liferay Enterprise Portal was designed to:
>
>Provide organizations with a single sign-on web interface for email,
>document=20
>management, message board, and other useful communication tools.
>Multiple=20
>authentication schemes (LDAP or SQL) are pooled together so users don't
>have=20
>to remember a different login and password for every section of the
>portal.
>...
>
>Details:
>
>Liferay is prone to cross site scripting flaw. Almost all the fields
>that takes=20
>input from one user and are displayed on another user's screen can be
>tricked to=20
>execute java script code.
>
>Test:
>Add a message with subject &lt;script&gt;history.go(-1)&lt;/script&gt;
>Now, no user can see message board.
>
>Vendor Response:
>Vendor was notified on 14/01/2004. No fix have been released yet.
>
>
>Recommendation:
>
>While saving or displaying the data:
>replace &,<,> etc with &amp;,&lt; and &gt; respectively.
>
>
>Regards,
>Sandeep Giri
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ