Changes for page Application_Liferay

Last modified by Nicolas Gregoire on 2012/04/19 14:05
From version Icon 9.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 14:08
Change comment: There is no comment for this version
To version Icon 5.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 14:04
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -12,13 +12,12 @@
12 12  LIferay includes numerous portlets. The "XSL Content" portlet displays the result of the XSL transformation of a XML document. The XSLT engine used by default is [[Xalan-J>>Engine_Saxon]] (but this can probably modified easily using [[JAXP>>http://en.wikipedia.org/wiki/Java_API_for_XML_Processing||rel="__blank"]]). As Xalan-J allows by default to execute Java code from the stylesheet, that's an easy to exploit vulnerability. Any logged-in user can execute arbitrary Java code in the context of the Web Application server (usually Tomcat) : [[CVE-2011-1571>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1571||rel="__blank"]].
13 13  
14 14  
15 +== Additional vulnerabilities ==
15 15  
16 -Executing commands and reading the output (using the "xalanj-reading-stdout.xsl" script included on the [[Xalan-J>>Engine_Saxon]] page) :
17 17  
18 -[[image:liferay-execute-commands-with-stdout.png||style="display: block; margin-left: auto; margin-right: auto"]]
19 19  
20 -== Additional vulnerabilities ==
21 21  
20 +
22 22  Two others vulnerabilities were identified in the "XSL Content" portlet :
23 23  
24 24  * CVE-2011-1503 : allows to read XML files via a file:~/~/ URL
... ... @@ -25,8 +25,6 @@
25 25  
26 26  * CVE-2011-1502 : allows to read UTF-8 files and to list directories via a XEE (XML External Entity) attack
27 27  
28 -
29 -
30 30  Reading /etc/passwd using CVE-2011-1502 :
31 31  
32 32  [[image:liferay-read-etc-passwd-via-xee.png||style="display: block; margin-left: auto; margin-right: auto"]]