[LPS-5588] It is possible to insert javascript via FCKEditor - Liferay Issues

Details

Type: Bug
Status: Closed
Resolution: Duplicate
Affects Version/s: 5.2.3
Fix Version/s: 6.0.3 GA
Component/s: Accessibility, Security Vulnerability
Labels:
None
Environment:
liferay.com

Liferay Contributor's Agreement:

Accept

Description

I tried to explain this issue in this forum: http://www.liferay.com/web/guest/community/forums/-/message_boards/message/4206917

Actually - I'm just a normal user, but I can insert (for example) some javascript into wiki - just check this wiki-page I just created in liferay.com: http://www.liferay.com/web/guest/community/wiki/-/wiki/Main?_36_title=Test%20for%20XSS

In my case I've inserted just an alert, but - it may be much-much more dangerous javascript. As result, this javascript, entered by me (again - I'm just a normal user in liferay.com) will be executed for any user, who will open this page

I'm afraid it is HUGE security problem! - I cannot change Main wiki-page (has no permissions for it) - but I can change many pages and insert dangerous javascript in many places in liferay.com

Same for any installation of Liferay

Attachments

Issue Links

duplicates

LPS-6575 XSS Issue with Blogs portlet

Closed

LPS-8436 Add HTML sanitizer to filter malicious code from html allowed user inputs

Closed

Activity

People

Assignee:

Zsolt Balogh

Reporter:

Alexey Kakunin

Participants of an Issue:

Alexey Kakunin, Zsolt Balogh

Recent user:

Esther Sanz

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

29/Oct/09 1:50 PM

Updated:

01/Dec/15 4:46 AM

Resolved:

03/Jun/10 3:00 AM

Days since last comment:

9 years, 8 weeks, 5 days ago

Packages

Version	Package
6.0.3 GA