Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Liferay Cross Site Scripting Flaw
From: michael young (myoungliferay.com)
Date: Thu Nov 25 2004 - 10:27:53 CST
The scripting flaw as been fixed as of version 2.2.0 release 10/1/2004. We urge all parties to upgrade their deployments.
>Received: (qmail 21320 invoked from network); 22 May 2004 22:20:19 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (126.96.36.199)
> by mail.securityfocus.com with SMTP; 22 May 2004 22:20:19 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [188.8.131.52])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 88099143702; Sun, 23 May 2004 00:22:47 -0600 (MDT)
>Mailing-List: contact bugtraq-helpsecurityfocus.com; run by ezmlm
>Delivered-To: mailing list bugtraqsecurityfocus.com
>Delivered-To: moderator for bugtraqsecurityfocus.com
>Received: (qmail 6451 invoked from network); 22 May 2004 04:15:04 -0000
>X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
>Subject: Liferay Cross Site Scripting Flaw
>Date: Sat, 22 May 2004 16:00:27 +0530
>Thread-Topic: Liferay Cross Site Scripting Flaw
>From: "Giri, Sandeep" <girisdeshaw.com>
>Advisory Name: Liferay Cross Site Scripting flaw
> Release Date: 05/22/2004
> Application: Liferay (www.liferay.com)
> Author: Sandeep Giri
>Vendor Status: Notified ( 4 months ago)
>(Taken from http://www.liferay.com/products/index.jsp)
>Liferay Enterprise Portal was designed to:
>Provide organizations with a single sign-on web interface for email,
>management, message board, and other useful communication tools.
>authentication schemes (LDAP or SQL) are pooled together so users don't
>to remember a different login and password for every section of the
>Liferay is prone to cross site scripting flaw. Almost all the fields
>input from one user and are displayed on another user's screen can be
>execute java script code.
>Add a message with subject <script>history.go(-1)</script>
>Now, no user can see message board.
>Vendor was notified on 14/01/2004. No fix have been released yet.
>While saving or displaying the data:
>replace &,<,> etc with &,< and > respectively.