Search for hundreds of thousands of exploits

"Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting"

Author

Exploit author

"Valerio Brussani"

Platform

Exploit platform

jsp

Release date

Exploit published date

2019-06-11

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Exploit Title: Liferay Portal < 7.1 CE GA4 / SimpleCaptcha API XSS
# Date: 04/06/2019
# Exploit Author: Valerio Brussani (@val_brux)
# Website: www.valbrux.it
# Vendor Homepage: https://www.liferay.com/
# Software Link: https://www.liferay.com/it/downloads-community
# Version: < 7.1 CE GA4
# Tested on: Liferay Portal 7.1 CE GA3
# CVE: CVE-2019-6588
# Reference1: https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3
# Reference2: https://www.valbrux.it/blog/2019/06/04/cve-2019-6588-liferay-portal-7-1-ce-ga4-simplecaptcha-api-xss/


Introduction
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input 
into the “url” parameter of the JSP taglib call <liferay-ui:captcha url=”<%= url %>” /> or <liferay-captcha:captcha url=”<%= url %>” />. 
A customized Liferay portlet which directly calls the Simple Captcha API without sanitizing the input could be susceptible to this vulnerability.
 
Poc
In a sample scenario of custom code calling the <liferay-ui:captcha url=”<%= url %>” /> JSP taglib, appending a payload like the following to the body parameters of a customized form:
 
&xxxx%22%3e%3cscript%3ealert(1)</script> 
 
The script is reflected in the src attribute of the <img> tag, responsible of fetching the next available captcha:
 
<img alt=”xxx” class=”xxxx” src=”xxxxxx“><script>alert(1)</script>=” />
Release DateTitleTypePlatformAuthor
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"webappsphp"that faceless coder"
2020-05-27"osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"OXID eShop 6.3.4 - 'sorting' SQL Injection"webappsphpVulnSpy
Release DateTitleTypePlatformAuthor
2019-10-16"Whatsapp 2.19.216 - Remote Code Execution"remoteandroid"Valerio Brussani"
2019-06-11"Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting"webappsjsp"Valerio Brussani"
2019-01-15"1Password < 7.0 - Denial of Service"dosandroid"Valerio Brussani"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46983/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.