1. Home
  2. General
  3. Liferay Portal p_p_id parameter vulnerable to persistent cross-site script

Liferay Portal p_p_id parameter vulnerable to persistent cross-site script

thumbnail
4323997, modified 16 Years ago.
Liferay Portal p_p_id parameter vulnerable to persistent cross-site script
New Member Posts: 5 Join Date: 11/27/09 Recent Posts
Hi,

I found this report recently.

US-CERT Vulnerability Note VU#750796



Liferay Portal p_p_id parameter vulnerable to persistent cross-site scripting



http://www.kb.cert.org/vuls/id/750796



To solve this problem, should I obtain the source code of 5.3 from Subversion?
Now, We are developing using 5.2.3 ext and plugin_sdk.
Is there compatibility of 5.2 and 5.3?

Thanks.
thumbnail
2401061, modified 16 Years ago.
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
Liferay Legend Posts: 2034 Join Date: 3/5/09 Recent Posts
I truly wish that Liferay would but an announcement portlet in the control panel for administrators and omni-admins so that they could push out important announcements like that to all of their users.
thumbnail
1339768, modified 16 Years ago.
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
Liferay Legend Posts: 6441 Join Date: 9/23/08 Recent Posts
Lisa Simpson:
I truly wish that Liferay would but an announcement portlet in the control panel for administrators and omni-admins so that they could push out important announcements like that to all of their users.


The good news is, that now you can do this yourself - at least in unpatched versions.

(ducks and hides in the dark)
thumbnail
1339768, modified 16 Years ago.
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
Liferay Legend Posts: 6441 Join Date: 9/23/08 Recent Posts
Look at the patches in the FishEye tab at LPS-6034 and see if the patches to trunk still apply without any work to the 5.2.3 codebase. Chances are that - when the code has changed - you have to look in a different line, but not in a different class.
thumbnail
4323997, modified 16 Years ago.
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
New Member Posts: 5 Join Date: 11/27/09 Recent Posts
Thank you for your advice.

I read FishEye. Therefore I understood that there was a difference in 5.2.3 and 6.0.0 (5.3).
Because there was not a function called HtmlUtil#escapeJS in 5.2.3, I decided to use org.apache.commons.lang.StringEscapeUtils#escapeJavaScript instead.

However, I worry by this method about correct.
thumbnail
1339768, modified 16 Years ago.
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
Liferay Legend Posts: 6441 Join Date: 9/23/08 Recent Posts
Kazutaka KAMIYA:
Because there was not a function called HtmlUtil#escapeJS in 5.2.3, I decided to use org.apache.commons.lang.StringEscapeUtils#escapeJavaScript instead.

You could also just add HtmlUtil to the backport and add it to the patch. This way you'd have the same effect as the patch from FishEye
thumbnail
1599526, modified 15 Years ago.
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
New Member Posts: 21 Join Date: 11/18/08 Recent Posts
I need to back port this fix into a 5.1.2 code base. However, fisheye is down for the count with no hope of ever coming back. Can someone post what was actually changed to fix this?

Thank you,
thumbnail
1339768, modified 15 Years ago.
RE: Liferay Portal p_p_id parameter vulnerable to persistent cross-site scr
Liferay Legend Posts: 6441 Join Date: 9/23/08 Recent Posts
With fisheye being down, my only guess would be to hunt down the relevant commit in svn with your favourite svn client. The commits contain the ticket number as comment.

Sorry