by r0t,der4444,cembo,VietMafia

Sunday, December 18, 2005

Liferay Portal Enterprise 3.6.1 XSS

Liferay Portal Enterprise 3.6.1 XSS

Vuln. discovered by : r0t
Date: 18 dec. 2005
vendor:http://liferay.com/
affected version:3.6.1 and prior

Product Description:

One of the leading open-source portal servers with a flexible, business-friendly license, Liferay is truly open source and doesn't lock you in to a specific vendor's database or application server. We also have a dedicated team of developers and consultants to complement our product with support, training, and professional services. We are one of the most mature products in the portal space and have complemented our existing CMS functionality with a slew of new features in version 3.6.1 that make integration of portal and CMS applications easier than ever. Liferay Portal ships with more portlets out of the box than any other portal platform. It can be run on a servlet container or a full-blown J2EE application server.

Vuln. Description:

Liferay Portal Enterprise contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to the "_77_struts_action" "p_p_mode" "p_p_state" and search module paremters isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

examples:

/web/guest/downloads/portal_ent?p_p_id=77
&p_p_action=1&p_p_state=maximized&p_p_mod
e=view&p_p_col_order=null&p_p_col_pos=2&p
_p_col_count=3&_77_struts_action=[XSS]


/web/guest/downloads/portal_ent?p_p_id=77
&p_p_action=1&p_p_state=maximized&p_p_mod
e=[XSS]


/web/guest/downloads/portal_ent?p_p_id=77
&p_p_action=1&p_p_state=[XSS]


Solution:
Edit the source code to ensure that input is properly sanitised.

0 Comments:

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew