Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-5588

It is possible to insert javascript via FCKEditor

    XMLWordPrintable

    Details

    • Liferay Contributor's Agreement:
      Accept

      Description

      I tried to explain this issue in this forum: http://www.liferay.com/web/guest/community/forums/-/message_boards/message/4206917

      Actually - I'm just a normal user, but I can insert (for example) some javascript into wiki - just check this wiki-page I just created in liferay.com: http://www.liferay.com/web/guest/community/wiki/-/wiki/Main?_36_title=Test%20for%20XSS

      In my case I've inserted just an alert, but - it may be much-much more dangerous javascript. As result, this javascript, entered by me (again - I'm just a normal user in liferay.com) will be executed for any user, who will open this page

      I'm afraid it is HUGE security problem! - I cannot change Main wiki-page (has no permissions for it) - but I can change many pages and insert dangerous javascript in many places in liferay.com

      Same for any installation of Liferay

        Attachments

          Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. LPS-6575 XSS Issue with Blogs portlet

          • Closed

          Bug - A problem which impairs or prevents the functions of the product. LPS-8436 Add HTML sanitizer to filter malicious code from html allowed user inputs

          • Closed

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  9 years, 29 weeks, 2 days ago

                  Packages

                  Version Package
                  6.0.3 GA