Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-27420

XSS issue in downloading file through webdav url

    Details

      Description

      Summary:
      When downloading an HTML file with JavaScript content through the WebDAV link, the JavaScript is executed allowing for an XSS attack.

      Steps to reproduce:

      1)Upload the attached xss.html
      2)Select the file, go to the information screen
      On the right there is 3 links to allow for downloading the file: "Download (0.1k) Get URL or WebDAV URL"
      3)Click the WebDAV URL, and copy paste the URL for that in a new tab in your browser
      Note that the XSS popup is shown in the browser, instead of the file being downloaded as text.
      When you click get URL and use the given URL, the file is properly downloaded and not shown as HTML.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  7 years, 20 weeks ago

                  Packages

                  Version Package
                  6.0.X EE
                  6.1.1 CE GA2
                  6.1.20 EE GA2
                  --Sprint 11/12
                  6.2.0 CE M2