Cross-Site Scripting within the "login" field processed by the
"/c/portal/login" server-side script.
Consequences:
An attacker may be able to cause the execution of malicious script code in
the browser of a user who visits a specially-crafted Liferay Portal URL, or
visits a page that submits a request to such URL. Such code would run
within the security context of the target domain.
This type of attack can result in non-persistent defacement of the target
site, or the redirection of confidential information (i.e.: usernames and
passwords) to unauthorised third parties.
Proof of concept (PoC):
The provided XSS PoC URLs overwrite Liferay Portal login form's 'action'
attribute. Thus, when the victim user clicks on the "Sign In" button, the
credentials (username/password) are sent to a third-party site
(procheckup.com in this case).
(other versions of Liferay Portal might also be affected)
Severity: Medium/High
Author: Adrian Pastor [adrian.pastor [at] procheckup.com] from ProCheckUp
Ltd (www.procheckup.com)
ProCheckUp thanks Liferay for fixing this vulnerability so promptly.
References:
http://www.liferay.com/
http://www.procheckup.com/Vulnerability_2007.php
Fix:
The issue was fixed a while back, but re-surfaced in 4.1.0 and 4.1.1.
This issue has been fixed on version 4.1.3 and onwards.
Feedback :
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.