Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Liferay Cross Site Scripting Flaw
From: Giri, Sandeep (girisdeshaw.com)
Date: Sat May 22 2004 - 05:30:27 CDT
Advisory Name: Liferay Cross Site Scripting flaw
Release Date: 05/22/2004
Application: Liferay (www.liferay.com)
Author: Sandeep Giri
Vendor Status: Notified ( 4 months ago)
(Taken from http://www.liferay.com/products/index.jsp)
Liferay Enterprise Portal was designed to:
Provide organizations with a single sign-on web interface for email,
management, message board, and other useful communication tools.
authentication schemes (LDAP or SQL) are pooled together so users don't
to remember a different login and password for every section of the
Liferay is prone to cross site scripting flaw. Almost all the fields
input from one user and are displayed on another user's screen can be
execute java script code.
Add a message with subject <script>history.go(-1)</script>
Now, no user can see message board.
Vendor was notified on 14/01/2004. No fix have been released yet.
While saving or displaying the data:
replace &,<,> etc with &,< and > respectively.