Liferay Portal 7.1 CE GA4 Cross Site Scripting

2019.06.13
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 2.6/10
Impact Subscore: 2.9/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: Liferay Portal < 7.1 CE GA4 / SimpleCaptcha API XSS # Date: 04/06/2019 # Exploit Author: Valerio Brussani (@val_brux) # Website: www.valbrux.it # Vendor Homepage: https://www.liferay.com/ # Software Link: https://www.liferay.com/it/downloads-community # Version: < 7.1 CE GA4 # Tested on: Liferay Portal 7.1 CE GA3 # CVE: CVE-2019-6588 # Reference1: https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3 # Reference2: https://www.valbrux.it/blog/2019/06/04/cve-2019-6588-liferay-portal-7-1-ce-ga4-simplecaptcha-api-xss/ Introduction In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input into the “url” parameter of the JSP taglib call <liferay-ui:captcha url=”<%= url %>” /> or <liferay-captcha:captcha url=”<%= url %>” />. A customized Liferay portlet which directly calls the Simple Captcha API without sanitizing the input could be susceptible to this vulnerability. Poc In a sample scenario of custom code calling the <liferay-ui:captcha url=”<%= url %>” /> JSP taglib, appending a payload like the following to the body parameters of a customized form: &xxxx%22%3e%3cscript%3ealert(1)</script> The script is reflected in the src attribute of the <img> tag, responsible of fetching the next available captcha: <img alt=”xxx” class=”xxxx” src=”xxxxxx“><script>alert(1)</script>=” />


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top