Changes for page Application_Liferay

Summary

• Page properties (2 modified, 0 added, 0 removed)

Details

Page properties

Tags

...	...	@@ -1,0 +1,1 @@
	1	+liferay|java|xalan-j|code execution|xee

Content

...	...	@@ -4,14 +4,18 @@
4	4
5	5
6	6
	7	+The vulnerabilities described here were patched in version 6.0.6 GA (cf. the [[Release Notes for 6.0.6 GA>>http://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952||rel="__blank"]]).
7	7
8		-
9		-
10	10	== Java code execution ==
11	11
12	12	LIferay includes numerous portlets. The "XSL Content" portlet displays the result of the XSL transformation of a XML document. The XSLT engine used by default is [[Xalan-J>>Engine_Saxon]] (but this can probably modified easily using [[JAXP>>http://en.wikipedia.org/wiki/Java_API_for_XML_Processing||rel="__blank"]]). As Xalan-J allows by default to execute Java code from the stylesheet, that's an easy to exploit vulnerability. Any logged-in user can execute arbitrary Java code in the context of the Web Application server (usually Tomcat) : [[CVE-2011-1571>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1571||rel="__blank"]].
13	13
14	14
	14	+
	15	+Executing commands and reading the output (using the "xalanj-reading-stdout.xsl" script included on the [[Xalan-J>>Engine_Saxon]] page) :
	16	+
	17	+[[image:liferay-execute-commands-with-stdout.png||style="display: block; margin-left: auto; margin-right: auto"]]
	18	+
15	15	== Additional vulnerabilities ==
16	16
17	17	Two others vulnerabilities were identified in the "XSL Content" portlet :
...	...	@@ -20,9 +20,5 @@
20	20
21	21	* CVE-2011-1502 : allows to read UTF-8 files and to list directories via a XEE (XML External Entity) attack
22	22
23		-
24		-
25		-
26	26	Reading /etc/passwd using CVE-2011-1502 :
27		-
28	28	[[image:liferay-read-etc-passwd-via-xee.png||style="display: block; margin-left: auto; margin-right: auto"]]