-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                    ESB-2008.0111 -- [Win][UNIX/Linux]
                Multiple vulnerabilities in Liferay Portal
                              4 February 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Liferay Portal
Publisher:            US-CERT
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Cross-site Scripting
                      Cross-site Request Forgery
Access:               Existing Account
                      Remote/Unauthenticated
CVE Names:            CVE-2008-0178 CVE-2008-0179 CVE-2008-0180
                      CVE-2008-0181 CVE-2008-0182

Original Bulletin:    http://www.kb.cert.org/vuls/id/326065
                      http://www.kb.cert.org/vuls/id/888209
                      http://www.kb.cert.org/vuls/id/732449
                      http://www.kb.cert.org/vuls/id/217825
                      http://www.kb.cert.org/vuls/id/767825

Comment: This bulletin contains five (5) Vulnerability Notes.
         CVE-2008-0182 is the only Remote/Unauthenticated vulnerability.

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#326065

Liferay Portal Enterprise Admin User-Agent HTTP header XSS

Overview

   Liferay Portal contains a cross-site scripting vulnerability in the
   handling of the User-Agent HTTP header, which can allow a remote,
   authenticated attacker to gain administrative access.

I. Description

   Liferay Portal is an enterprise portal solution that uses Java
   technologies. The Enterprise Admin Session Monitoring part of Liferay
   Portal fails to properly sanitize the User-Agent field supplied in
   HTTP headers.

II. Impact

   A remote, authenticated attacker may be able to execute arbitrary
   script within the context of the portal administrator.

III. Solution

   Apply an update

   This issue is addressed in Liferay versions 4.4.0 and 4.3.7, as
   specified in Liferay support document LEP-4736.

Systems Affected

   Vendor            Status     Date Updated
   Liferay, Inc. Vulnerable 31-Jan-2008

References

   http://www.liferay.com/web/guest/products/portal
   http://support.liferay.com/browse/LEP-4736

Credit

   Thanks to Tomasz Kuczynski for reporting this vulnerability.

   This document was written by Will Dormann.

Other Information

                Date Public 01/10/2008
       Date First Published 01/31/2008 02:20:54 PM
          Date Last Updated 01/31/2008
              CERT Advisory
                   CVE Name CVE-2008-0178
   US-CERT Technical Alerts
                     Metric 5.67
          Document Revision 2


Vulnerability Note VU#888209

Liferay Portal Forgot Password User-Agent HTTP header XSS

Overview

   Liferay Portal contains a cross-site scripting vulnerability in the
   handling of the User-Agent HTTP header, which can allow a remote,
   authenticated attacker to inject content into "Forgot Password"
   emails.

I. Description

   Liferay Portal is an enterprise portal solution that uses Java
   technologies. The "Forgot Password" feature of Liferay Portal fails to
   properly sanitize the User-Agent field supplied in HTTP headers. This
   can allow a remote, authenticated attacker to inject content into the
   email that is generated by the "Forgot Password" feature.

II. Impact

   A remote, authenticated attacker may be able to inject content into
   the email messages generated by the "Forgot Password" feature.

III. Solution

   Apply an update

   This issue is addressed in Liferay versions 4.4.0 and 4.3.7, as
   specified in Liferay support document LEP-4737.

Systems Affected

   Vendor            Status     Date Updated
   Liferay, Inc. Vulnerable 31-Jan-2008

References

   http://www.liferay.com/web/guest/products/portal
   http://support.liferay.com/browse/LEP-4737

Credit

   Thanks to Tomasz Kuczynski for reporting this vulnerability.

   This document was written by Will Dormann.

Other Information

                Date Public 01/10/2008
       Date First Published 01/31/2008 02:37:33 PM
          Date Last Updated 01/31/2008
              CERT Advisory
                   CVE Name CVE-2008-0179
   US-CERT Technical Alerts
                     Metric 0.38
          Document Revision 1


Vulnerability Note VU#732449

Liferay Portal User Profile Greeting stored XSS

Overview

   Liferay Portal fails to properly validate the User Profile "Greeting"
   value, which can allow script to execute when a user logs into the
   portal.

I. Description

   Liferay Portal is an enterprise portal solution that uses Java
   technologies. The User Profile "Greeting" value of Liferay Portal
   fails to properly sanitize input.

II. Impact

   An authenticated user may be able to inject script into the "Greeting"
   for the portal.

III. Solution

   Apply an update

   This issue is addressed in Liferay versions 4.4.0 and 4.3.7, as
   specified in Liferay support document LEP-4738.

Systems Affected

   Vendor            Status     Date Updated
   Liferay, Inc. Vulnerable 31-Jan-2008

References

   http://www.liferay.com/web/guest/products/portal
   http://support.liferay.com/browse/LEP-4738

Credit

   Thanks to Tomasz Kuczynski for reporting this vulnerability.

   This document was written by Will Dormann.

Other Information

                Date Public 01/10/2008
       Date First Published 01/31/2008 02:50:36 PM
          Date Last Updated 01/31/2008
              CERT Advisory
                   CVE Name CVE-2008-0180
   US-CERT Technical Alerts
                     Metric 0.11
          Document Revision 1


Vulnerability Note VU#217825

Liferay Portal Admin portlet Shutdown message XSS

Overview

   Liferay Portal Admin portlet fails to properly validate input to the
   shutdown message, which can allow a remote, authenticated attacker to
   inject script into the message displayed to all users when the server
   is being shut down.

I. Description

   Liferay Portal is an enterprise portal solution that uses Java
   technologies. The Liferay Portal Admin portlet fails to properly
   sanitize input to the shutdown message.

II. Impact

   A remote, authenticated attacker may be able to inject script into the
   message that is displayed to all users when the server is being shut
   down.

III. Solution

   Apply an update

   This issue is addressed in Liferay version 4.4.0, as specified in
   Liferay support document LEP-4739.

Systems Affected

   Vendor            Status     Date Updated
   Liferay, Inc. Vulnerable 31-Jan-2008

References

   http://www.liferay.com/web/guest/products/portal
   http://support.liferay.com/browse/LEP-4739

Credit

   Thanks to Tomasz Kuczynski for reporting this vulnerability.

   This document was written by Will Dormann.

Other Information

                Date Public 01/10/2008
       Date First Published 01/31/2008 03:04:41 PM
          Date Last Updated 01/31/2008
              CERT Advisory
                   CVE Name CVE-2008-0181
   US-CERT Technical Alerts
                     Metric 0.38
          Document Revision 1


Vulnerability Note VU#767825

Liferay Portal fails to protect against CSRF

Overview

   Liferay Portal fails to properly protect against Cross-Site Request
   Forgery (CSRF). This may allow a remote attacker to be able to forge
   requests that Liferay Portal takes action upon.

I. Description

   Liferay Portal is an enterprise portal solution that uses Java
   technologies. Liferay Portal fails to properly protect against
   CSRF attacks.

II. Impact

   A remote attacker may be able to forge requests that the Liferay
   Portal takes action upon.

III. Solution

   This issue is addressed in Liferay version 4.4.0, as specified in
   Liferay support document LEP-4739. Version 4.4.0 forces requests
   to be in POST format, which helps mitigate CSRF attacks.

Systems Affected

   Vendor            Status     Date Updated
   Liferay, Inc. Vulnerable 31-Jan-2008

References

   http://www.liferay.com/web/guest/products/portal
   http://support.liferay.com/browse/LEP-4739
   http://www.owasp.org/index.php/Cross-Site_Request_Forgery

Credit

   Thanks to Tomasz Kuczynski for reporting this vulnerability.

   This document was written by Will Dormann.

Other Information

                Date Public 01/10/2008
       Date First Published 01/31/2008 03:19:28 PM
          Date Last Updated 01/31/2008
              CERT Advisory
                   CVE Name CVE-2008-0182
   US-CERT Technical Alerts
                     Metric 4.39
          Document Revision 1

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR6ZQPCh9+71yA2DNAQKVAAP+OfYoTXzsyoy/q12yTa2vmp/Si4YkMsJ+
XVy+7SaCv4/4t5ro3gFQmmeBsYBrUg4t3bm8yUjffV4ROrQPiVO7OGCdYSSiNpLR
TYGVypXsx/e2B6Jnh6ygwJsaNRpZ/zV4uOTe6FSb6nFTIDy0vF7KHr4+6TXnJKXC
mUYPrfBl2OE=
=YXlU
-----END PGP SIGNATURE-----