Persistent xss liferay enterprise cms

[Tim Schughart <tim.schughart () icloud com>]

Hey guys,

during a penatrationtest I have found an unknown persistent xss in liferay portal backend. Liferay is already informed. 

##################
#General Information#
##################


Manufacture description:
Liferay Portal is an enterprise-web-platform for the development of business solutions, which provides quick results 
and long-term values.


########
#Details#
########
·         Product:                    Liferay Portal Enterprise Edition (6.2 EE SP13)
·         Affected versions :            All <= 6.2 EE SP13
·         Type of attack:                Persistent  Cross Site Scripting
·         Proof Of Concept:                Yes, 6.2 EE SP13
·         Authentication required:        Yes
·         Reason:                    Missing input validation
·         Impact:                        Injection of malicious  JavaScript code

######
#PoC#
######
You have to be authenticated in the administrator backend.
Here you have to browse to the control center:
- In configuration click on portal settings
- Select authentication
- Select ldap
- select add server
- input following code in server name

Value for ldap server name field:
Name_of_ldap_server<script>alert("XSS")</script>

The script is inserted to the configuration page persistent until the ldap server is deleted from database again.

#Protection
Set XSS Header and create Waf rule until its patched. 

Best regards / Mit freundlichen Grüßen

Tim Schughart




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------