6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.01 Low
EPSS
Percentile
83.7%
According to its self-reported version number, the installation of Liferay Portal hosted on the remote web server is affected by multiple vulnerabilities :
An arbitrary file download vulnerability exists when Apache Tomcat is used, which allows remote, authenticated users to download arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue. (CVE-2011-1502)
An arbitrary file download vulnerability exists when Apache Tomcat or Oracle GlassFish is used. The XSL Content portlet allows remote, authenticated users to read arbitrary XSL / XML files via a file:/// URL.
(CVE-2011-1503)
A cross-site scripting vulnerability exists, which allows remote, authenticated users to inject arbitrary JavaScript or HTML via a blog title. (CVE-2011-1504)
A cross-site scripting vulnerability exists when Apache Tomcat is used, which allows remote, authenticated users to inject arbitrary JavaScript or HTML via a message title. (CVE-2011-1570)
An unspecified vulnerability exists when Apache Tomcat is used. The XSL Content portlet allows remote attackers to execute arbitrary commands via unknown vectors.
(CVE-2011-1571)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(59230);
script_version("1.14");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id(
"CVE-2011-1502",
"CVE-2011-1503",
"CVE-2011-1504",
"CVE-2011-1570",
"CVE-2011-1571"
);
script_bugtraq_id(47082, 73497);
script_xref(name:"EDB-ID", value:"18715");
script_name(english:"Liferay Portal < 6.0.6 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a Java application that is affected by
multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the installation of
Liferay Portal hosted on the remote web server is affected by multiple
vulnerabilities :
- An arbitrary file download vulnerability exists when
Apache Tomcat is used, which allows remote,
authenticated users to download arbitrary files via an
entity declaration in conjunction with an entity
reference, related to an XML External Entity (aka XXE)
issue. (CVE-2011-1502)
- An arbitrary file download vulnerability exists when
Apache Tomcat or Oracle GlassFish is used. The XSL
Content portlet allows remote, authenticated users to
read arbitrary XSL / XML files via a file:/// URL.
(CVE-2011-1503)
- A cross-site scripting vulnerability exists, which
allows remote, authenticated users to inject arbitrary
JavaScript or HTML via a blog title. (CVE-2011-1504)
- A cross-site scripting vulnerability exists when Apache
Tomcat is used, which allows remote, authenticated users
to inject arbitrary JavaScript or HTML via a message
title. (CVE-2011-1570)
- An unspecified vulnerability exists when Apache Tomcat
is used. The XSL Content portlet allows remote attackers
to execute arbitrary commands via unknown vectors.
(CVE-2011-1571)
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
script_set_attribute(attribute:"see_also", value:"https://www.openwall.com/lists/oss-security/2011/03/29/1");
# https://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7bdf9956");
script_set_attribute(attribute:"see_also", value:"https://issues.liferay.com/browse/LPS-11506");
script_set_attribute(attribute:"see_also", value:"https://issues.liferay.com/browse/LPS-12628");
script_set_attribute(attribute:"see_also", value:"https://issues.liferay.com/browse/LPS-13250");
script_set_attribute(attribute:"see_also", value:"https://issues.liferay.com/browse/LPS-14726");
script_set_attribute(attribute:"see_also", value:"https://issues.liferay.com/browse/LPS-14927");
script_set_attribute(attribute:"see_also", value:"http://xhe.myxwiki.org/xwiki/bin/view/XSLT/Application_Liferay");
script_set_attribute(attribute:"solution", value:
"Upgrade to Liferay Portal 6.0.6 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2011-1571");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/29");
script_set_attribute(attribute:"patch_publication_date", value:"2011/03/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/22");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:liferay:portal");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("liferay_detect.nasl");
script_require_keys("www/liferay_portal");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80, 443, 8080);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http_func.inc");
include("webapp_func.inc");
if (report_paranoia < 2) audit(AUDIT_PARANOID);
# Get the ports that web servers have been found on, defaulting to
# what Liferay uses with Tomcat, their recommended bundle.
port = get_http_port(default:8080, embedded:TRUE);
# Get details of the Liferay Portal install.
install = get_install_from_kb(appname:"liferay_portal", port:port, exit_on_fail:TRUE);
dir = install["dir"];
ver = install["ver"];
url = build_url(port:port, qs:dir + "/");
if (ver == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, "Liferay Portal", url);
# Versions earlier than 6.0.6 are vulnerable.
fix = "6.0.6";
if (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0)
audit(AUDIT_WEB_APP_NOT_AFFECTED, "Liferay Portal", url, ver);
set_kb_item(name:"www/" + port + "/XSS", value:TRUE);
# Report our findings.
report = NULL;
if (report_verbosity > 0)
{
report =
'\n URL : ' + url +
'\n Installed version : ' + ver +
'\n Fixed version : ' + fix +
'\n';
}
security_hole(port:port, extra:report);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1502
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1503
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1504
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1570
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1571
www.nessus.org/u?7bdf9956
xhe.myxwiki.org/xwiki/bin/view/XSLT/Application_Liferay
issues.liferay.com/browse/LPS-11506
issues.liferay.com/browse/LPS-12628
issues.liferay.com/browse/LPS-13250
issues.liferay.com/browse/LPS-14726
issues.liferay.com/browse/LPS-14927
www.openwall.com/lists/oss-security/2011/03/29/1