PUBLIC - Liferay Portal Community Edition

XSS vulnerability on Document Library Types

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 6.1.0 CE GA1, 6.1.10 EE GA1
  • Fix Version/s: 6.1.1 CE GA2, 6.1.20 EE GA2, --Sprint 11/12, 6.2.0 CE M2
  • Component/s: DM, DM > Document Library Display, Dynamic Data Lists, Security
  • Labels:
  • Environment:
  • Branch Version/s:
    6.1.x
  • Backported to Branch:
    Committed
  • Fix Priority:
    3
  • Similar Issues:
    Show 3 results 

Description

Steps to reproduce:
Case 1:
1. Add New Document Type.
2. Drag Main Metadata Fields, Text and Text Box, Save.
3. Add a new document using this New Document Type.
3. Fill out <script>alert("xss")</script> for Text and Text Box field. Save.
4. Try to click on the document.

Xss alert will display.
In this case, text and Text Box have xss problem when creating New Document Type and adding New Data Definition in Dynamic Data List portlet.

Case 2
1. Add New Document Type with name "<script>alert("xss")</script>".
2. Add document with this type.
Note: Only fill out description with "<script>alert("xss")</script>" won't occur xss alert

Xss alert will display when try to click on this document.

Case 3:
1. Add New Document Type with name "<script>alert("xss")</script>"
2. Add an Asset Publish portlet.

Xss alert will occur.

Case 4.
1. Add an Asset Publish portlet first.
2. Add New Document Type with name "<script>alert("xss")</script>"
3. Try to upload a document with this document type.

Xss alert will occur.

Console error:
05:57:24,407 ERROR [MinifierUtil:109] 1: 10: Unexpected end of file
05:57:24,408 ERROR [MinifierUtil:109] 1: 0: Compilation produced 1 syntax errors.
05:57:24,409 ERROR [MinifierUtil:75] JavaScript Minifier failed for
alert-xss-

Issue Links

causes

Regression Bug - Used by Liferay QA to indicate an issue discovered during regression testing LPS-28902 Can not Add Record in the DDL when using the Meeting Minutes Data Definition .

  • Minor - Minor loss of function, or other problem where easy workaround is present.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Michael Saechang added a comment -

Committed on:
Portal 6.1.x CE GIT ID: ae52b8a138a2552c63375b3e4ef47ceb4de0b929.
Portal 6.2.x GIT ID: 063a7779269348617142c02d948812a5bc7e2cd4.

Show
Michael Saechang added a comment - Committed on: Portal 6.1.x CE GIT ID: ae52b8a138a2552c63375b3e4ef47ceb4de0b929. Portal 6.2.x GIT ID: 063a7779269348617142c02d948812a5bc7e2cd4.
Hide
Permalink
Justin Choi added a comment -

PASSED Manual Testing following the steps in the description.

Reproduced on:
Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 9caa758bde0cf4721bf812a96e76cf2825f34dd5.
Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 338ee7f06716111db1c0f4168bd0b8dbc9fd04b8.

  • All four cases will generate the XSS dialog box. Minifer errors in the console displays.

Fixed on:
Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 844a9390cfc57ce5d12770d26ac9f09f42a9afd4.
Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 19aabb75583a436fa9861ced02ac9ca08892c76b.

  • No XSS for all four test cases; the Minifer errors are not displayed in the console.
Show
Justin Choi added a comment - PASSED Manual Testing following the steps in the description. Reproduced on: Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 9caa758bde0cf4721bf812a96e76cf2825f34dd5. Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 338ee7f06716111db1c0f4168bd0b8dbc9fd04b8. All four cases will generate the XSS dialog box. Minifer errors in the console displays. Fixed on: Tomcat 7.0 + MySQL 5. Portal 6.1.x EE GIT ID: 844a9390cfc57ce5d12770d26ac9f09f42a9afd4. Tomcat 7.0 + MySQL 5. Portal 6.2.x GIT ID: 19aabb75583a436fa9861ced02ac9ca08892c76b. No XSS for all four test cases; the Minifer errors are not displayed in the console.

People

Vote (0)
Watch (4)

Dates

  • Created:
    Updated:
    Resolved:
    Days since last comment:
    43 weeks ago