HTML Injection in the Classic Search Portlet (Legacy)

Issue

  • Our security tool identified HTML Injection issue.
  • Reproduction Steps:
    1. Start up Liferay DXP 7.4 Update 62
    2. On the home page, add a widget "Search".
    3. In the address bar, enter the URL
    localhost:8080/home?p_p_id=com_liferay_portal_search_web_portlet_SearchPortlet&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_com_liferay_portal_search_web_portlet_SearchPortlet_mvcPath=%2Fsearch.jsp&_com_liferay_portal_search_web_portlet_SearchPortlet_redirect=http%3A%2F%2Flocalhost:8080%2Fhome%3Fp_p_id%3Dcom_liferay_portal_search_web_portlet_SearchPortlet%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview&_com_liferay_portal_search_web_portlet_SearchPortlet_formDate=%3Cmeta%20content%3D%22was-tnb-klk%22%3E%3Cdiv%20style%3D%22was-tnb-klk%22%3E%3Ca%20style%3D%22was-tnb-klk%22%3E%3Cstyle%20id%3D%22was-tnb-klk%22%3E&_com_liferay_portal_search_web_portlet_SearchPortlet_keywords=nessus_was_textpw96gild&_com_liferay_portal_search_web_portlet_SearchPortlet_scope=this-site
    4. Check the source code of the page and observe the malicious code "was-tnb-klk" is inserted.

Environment

  • Liferay DXP 7.4

 

Resolution

  • The mentioned code is inserted in a part of the JavaScript code, not the HTML code. It is escaped for JavaScript like below. Therefore, this is a false positive. 
    Liferay.Portlet.onLoad(
    {
    	canEditTitle: false,
    	columnPos: 0,
    	isStatic: 'end',
    	namespacedId: 'p_p_id_com_liferay_portal_search_web_portlet_SearchPortlet_',
    	portletId: 'com_liferay_portal_search_web_portlet_SearchPortlet',
    	refreshURL: '\x2fc\x2fportal\x2frender_portlet\x3fp_l_id\x3d6\x26p_p_id\x3dcom_liferay_portal_search_web_portlet_SearchPortlet\x26p_p_lifecycle\x3d0\x26p_t_lifecycle\x3d0\x26p_p_state\x3dmaximized\x26p_p_mode\x3dview\x26p_p_col_id\x3dnull\x26p_p_col_pos\x3dnull\x26p_p_col_count\x3dnull\x26p_p_isolated\x3d1\x26currentURL\x3d\x252Fhome\x253Fp_p_id\x253Dcom_liferay_portal_search_web_portlet_SearchPortlet\x2526p_p_lifecycle\x253D0\x2526p_p_state\x253Dmaximized\x2526p_p_mode\x253Dview\x2526_com_liferay_portal_search_web_portlet_SearchPortlet_mvcPath\x253D\x25252Fsearch\x2ejsp\x2526_com_liferay_portal_search_web_portlet_SearchPortlet_redirect\x253Dhttp\x25253A\x25252F\x25252Flocalhost\x253A8080\x25252Fhome\x25253Fp_p_id\x25253Dcom_liferay_portal_search_web_portlet_SearchPortlet\x252526p_p_lifecycle\x25253D0\x252526p_p_state\x25253Dnormal\x252526p_p_mode\x25253Dview\x2526_com_liferay_portal_search_web_portlet_SearchPortlet_formDate\x253D\x25253Cmeta\x252520content\x25253D\x252522was-tnb-klk\x252522\x25253E\x25253Cdiv\x252520style\x25253D\x252522was-tnb-klk\x252522\x25253E\x25253Ca\x252520style\x25253D\x252522was-tnb-klk\x252522\x25253E\x25253Cstyle\x252520id\x25253D\x252522was-tnb-klk\x252522\x25253E\x2526_com_liferay_portal_search_web_portlet_SearchPortlet_keywords\x253Dnessus_was_textpw96gild\x2526_com_liferay_portal_search_web_portlet_SearchPortlet_scope\x253Dthis-site',
    	refreshURLData: {"_com_liferay_portal_search_web_portlet_SearchPortlet_keywords":["nessus_was_textpw96gild"],"_com_liferay_portal_search_web_portlet_SearchPortlet_mvcPath":["\/search.jsp"],"_com_liferay_portal_search_web_portlet_SearchPortlet_scope":["this-site"],"_com_liferay_portal_search_web_portlet_SearchPortlet_redirect":["http:\/\/localhost:8080\/home?p_p_id=com_liferay_portal_search_web_portlet_SearchPortlet&p_p_lifecycle=0&p_p_state=normal&p_p_mode=view"],"_com_liferay_portal_search_web_portlet_SearchPortlet_formDate":["

Additional Information

  • The Classic Search portlet has been deprecated since 7.1. Please see Deprecated Apps in 7.1: What to Do. We are working on removing it in 7.4. Please see LPS-154985. Please migrate away from this portlet if you are using this portlet in your 7.4 environment. 
¿Fue útil este artículo?
Usuarios a los que les pareció útil: 0 de 0