In-Reply-To: <A2A3422FEEB89D4DBFDF7692B7C737BACED1@xxxxxxxxxxxxxxxxxxxxx> The scripting flaw as been fixed as of version 2.2.0 release 10/1/2004. We urge all parties to upgrade their deployments. >Received: (qmail 21320 invoked from network); 22 May 2004 22:20:19 -0000 >Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26) > by mail.securityfocus.com with SMTP; 22 May 2004 22:20:19 -0000 >Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) > by outgoing2.securityfocus.com (Postfix) with QMQP > id 88099143702; Sun, 23 May 2004 00:22:47 -0600 (MDT) >Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx> >List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx> >List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx> >Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx >Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx >Received: (qmail 6451 invoked from network); 22 May 2004 04:15:04 -0000 >content-class: urn:content-classes:message >MIME-Version: 1.0 >Content-Type: text/plain; > charset="us-ascii" >Content-Transfer-Encoding: quoted-printable >X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1 >Subject: Liferay Cross Site Scripting Flaw >Date: Sat, 22 May 2004 16:00:27 +0530 >Message-ID: <A2A3422FEEB89D4DBFDF7692B7C737BACED1@xxxxxxxxxxxxxxxxxxxxx> >X-MS-Has-Attach: >X-MS-TNEF-Correlator: >Thread-Topic: Liferay Cross Site Scripting Flaw >Thread-Index: AcPmpUmE91+L5WoMTe2EuP69XNlV6BZO3dmg >From: "Giri, Sandeep" <giris@xxxxxxxxxx> >To: <bugtraq@xxxxxxxxxxxxxxxxx> > >Advisory Name: Liferay Cross Site Scripting flaw > Release Date: 05/22/2004 > Application: Liferay (www.liferay.com) > Author: Sandeep Giri >Vendor Status: Notified ( 4 months ago) > >Overview: >(Taken from http://www.liferay.com/products/index.jsp) > >Liferay Enterprise Portal was designed to: > >Provide organizations with a single sign-on web interface for email, >document=20 >management, message board, and other useful communication tools. >Multiple=20 >authentication schemes (LDAP or SQL) are pooled together so users don't >have=20 >to remember a different login and password for every section of the >portal. >... > >Details: > >Liferay is prone to cross site scripting flaw. Almost all the fields >that takes=20 >input from one user and are displayed on another user's screen can be >tricked to=20 >execute java script code. > >Test: >Add a message with subject <script>history.go(-1)</script> >Now, no user can see message board. > >Vendor Response: >Vendor was notified on 14/01/2004. No fix have been released yet. > > >Recommendation: > >While saving or displaying the data: >replace &,<,> etc with &,< and > respectively. > > >Regards, >Sandeep Giri >
