Session monitoring has XSS vulnerability

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 4.3.6
Fix Version/s: 4.3.7, 4.4.0
Component/s: None
Labels:
None

Similar Issues:

Show 5 results

Description

DESCRIPTION:
Liferay doesn't properly sanitize name of user agent in Enterprise Admin -> Monitoring -> Live Sessions ->

{Session}

which allow to craft XSS attack targeted directly to Portal Administrator.
This vulnerability which conjunction with CSRF can lead to serious problems.

ATTACK IMPACT:
See other XSS and CSRF reports

ATTACK CONSTRAINTS:
User with access to any account on Liferay based portal
NOTE: Attack must set to User-Agent HTTP header before session is created (so User-Agent must present itself with attack from the beginning of User-Agent <-> Server interaction) !!!

EXAMPLE EXPLOIT AND VERIFICATION:
Please use software proxy that allows to modify HTTP traffic or write simple user-agent in f.e. Perl.
Set value of HTTP User-Agent to f.e (Internet Explorer + an attack).
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)<<script>script>alert('XSS !!!')<</script>/script>

Activity

There are no comments yet on this issue.

People

Assignee:

SE Support

Reporter:

Brian Chan

Vote (0)

Watch (0)

Dates

Created:

10/Jan/08 9:11 AM

Updated:

10/Jan/08 9:12 AM

Resolved:

10/Jan/08 9:12 AM

Agile

View on Board

~~LEP-4737~~	Forgot password XSS vulnerability
~~LEP-5901~~	Close XSS vulnerabilities found by LEP-5801
~~LEP-4739~~	Admin portlet Shutdown message has XSS and CSRF vulnerability
~~LEP-5801~~	Add xss vulnerability detection to format-source task
~~LEP-5948~~	More XSS vulnerability patches