Liferay CE Stored Cross Site Scripting

🗓️ 01 Jun 2016 00:00:00Reported by Fernando CamaraType

packetstorm🔗 packetstormsecurity.com👁 61 Views

Liferay CE Stored Cross Site Scripting vulnerability found and fixe

Reporter	Title	Published	Views	Family All 16
0day.today	Liferay CE < 6.2 CE GA6 - Persistent Cross-Site Scripting	2 Jun 201600:00	–	zdt
CNVD	Liferay CE Stored Cross-Site Scripting Vulnerability	5 Jun 201600:00	–	cnvd
Check Point Advisories	Liferay Portal User Account Stored Cross Site Scripting (CVE-2016-3670)	22 Jun 201600:00	–	checkpoint_advisories
CVE	CVE-2016-3670	13 Jun 201614:00	–	cve
Cvelist	CVE-2016-3670	13 Jun 201614:00	–	cvelist
Exploit DB	Liferay CE < 6.2 CE GA6 - Persistent Cross-Site Scripting	2 Jun 201600:00	–	exploitdb
EUVD	EUVD-2016-4695	7 Oct 202500:30	–	euvd
exploitpack	Liferay CE 6.2 CE GA6 - Persistent Cross-Site Scripting	2 Jun 201600:00	–	exploitpack
Github Security Blog	Liferay Portal Vulnerable to XSS in Profile Search Functionality	17 May 202203:53	–	github
NVD	CVE-2016-3670	13 Jun 201614:59	–	nvd

`Fernando Câmara @ Integrity S.A  
www.integrity.pt  
https://twitter.com/overflowy  
  
https://labs.integrity.pt/advisories/cve-2016-3670/  
  
---  
  
  
CVE-2016-3670 Stored Cross Site Scripting in Liferay CE  
  
1. Vulnerability Properties  
  
Title: Stored Cross-Site Scripting Liferay CE  
CVE ID: CVE-2016-3670  
CVSSv3 Base Score: 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)  
Vendor: Liferay Inc  
Products: Liferay  
Advisory Release Date: 27 May 2016  
Advisory URL: https://labs.integrity.pt/advisories/cve-2016-3670  
Credits: Discovery by Fernando Câmara <fbc[at]integrity.pt>  
  
2. Vulnerability Summary  
  
Liferay is vulnerable to a stored XSS when an user is created with an  
malicious payload on the FirstName field.  
The javascript payload is executed when another user tries to use the  
profile search section.  
3. Technical Details  
  
An XSS vulnerability was found on the Profile Search functionality,  
accessible through User -> My Profile -> Search. An attacker can set a  
malicious javascript payload on his First Name affecting anyone who  
performs a search using a keyword present on his profile.  
  
The exploitation of this vulnerability could lead to an effective way to  
grab cookies (stealing sessions) from anyone that uses that search  
component.  
  
Exploitation Request: (User Registration with an malicious FirstName field)  
  
POST /liferay/web/guest/home?p_p_id=58&p_p_lifecycle=1&p_p_state=  
maximized&p_p_mode=view&_58_struts_action=%2Flogin%2Fcreate_account  
  
Data:  
  
_58_firstName=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2  
  
The vulnerability is located on the users.jsp and as shown below the origin  
is the lack of validation of user input:  
  
line 64: <a data-value=”<%= curUserName %>” href=”javascript:;”>  
  
4. Vulnerable Versions  
  
< 6.2 CE GA6  
  
5. Solution  
  
Update to version 7.0.0 CE RC1  
  
6. Vulnerability Timeline  
  
21/Jan/16 - Bug reported to Liferay  
22/Mar/16 – Bug verified by vendor  
22/Mar/16 – Bug fixed by vendor  
27/May/16 – Advisory released  
  
  
7. References  
  
https://issues.liferay.com/browse/LPS-62387  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3670  
  
  
`

01 Jun 2016 00:00Current

6.3Medium risk

Vulners AI Score6.3

EPSS0.02291