ckconfig_creole.jsp reads 'cssClasses' from url cause XSS vulnerability
Description
Environment
Tomcat 6/7; Liferay portal trunk/6.1.x; mysql5
relates
Activity
Show:
Mark Jin January 11, 2012 at 6:14 PM
PASSED Manual Testing following the steps in the description.
Reproduced on:
Tomcat 7.0.23 + MySQL 5.5.17. 6.2.x GIT ID: 0d09388cccb872ea3e7ebb468164d35afdb17c3a.
Fixed on:
Tomcat 7.0.23 + MySQL 5.5.17. 6.1.x GIT ID: 403754321922dc7977273ed5cde8476bea1e12e6.
Tomcat 7.0.23 + MySQL 5.5.17. 6.2.x GIT ID: dc79bcb54c96b4b8c1d8275c4326fa3712f8a974.
Michael Saechang January 11, 2012 at 2:38 PM
Committed on:
6.1.x GIT ID: 4d5bc923a8f5a689298173f02a23030aea606dcf.
6.2.x GIT ID: 4a4f22f73061e160f7e79a7b2b7902634b924da8.
Fixed
Details
Assignee
Mark JinMark Jin(Deactivated)Reporter
Neil JinNeil Jin(Deactivated)Branch Version/s
6.1.xBackported to Branch
CommittedGit Pull Request
Components
Fix versions
Affects versions
Priority
Medium
Details
Details
Assignee
Mark JinReporter
Neil JinBranch Version/s
6.1.x
Backported to Branch
Committed
Git Pull Request
Components
Fix versions
Affects versions
Priority
MediumZendesk Support
Linked Tickets
Zendesk Support
Linked Tickets
Zendesk Support
Linked Tickets
Created January 10, 2012 at 7:37 PM
Updated June 24, 2023 at 3:36 PM
Resolved March 12, 2012 at 2:28 PM
http://localhost:8080/html/js/editor/ckeditor/ckconfig_creole.jsp?p_l_id=10430&p_p_id=36&p_main_path=/c&doAsUserId=lX5Vj08yDsY%3D&doAsGroupId=0&cssPath=/html/themes/classic/css&cssClasses=%3Cscript%3Ealert%28String.fromCharCode%28101,72,50,68,121,51,118,77%29%29%3C/script%3E&imagesPath=/html/themes/classic/images&languageId=en_US&attachmentURLPrefix=http://vm-6.dlc.liferay.com/c/wiki/get_page_attachment?p_l_id%3D10430%26nodeId%3D10504%26title%3DFrontPage%26fileName%3D&wikiPageResourcePrimKey=10506&t=B37D54V
through this url you can see a pop up alert, especially in Firefox.
The vulnerability exists in ckconfig_bbcode.jsp, ckconfig_creole.jsp, ckconfig.jsp files.