Vulnerabilities > CVE-2011-1571 - Remote Security vulnerability in Liferay Portal

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
liferay
apache
nessus
exploit available

Summary

Unspecified vulnerability in the XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote attackers to execute arbitrary commands via unknown vectors.

Vulnerable Configurations

Part Description Count
Application
Liferay
1

Exploit-Db

descriptionLiferay XSL - Command Execution. CVE-2011-1571. Webapps exploits for multiple platform
idEDB-ID:18715
last seen2016-02-02
modified2012-04-08
published2012-04-08
reporterSpencer McIntyre
sourcehttps://www.exploit-db.com/download/18715/
titleLiferay XSL - Command Execution

Nessus

NASL familyCGI abuses
NASL idLIFERAY_6_0_6.NASL
descriptionAccording to its self-reported version number, the installation of Liferay Portal hosted on the remote web server is affected by multiple vulnerabilities : - An arbitrary file download vulnerability exists when Apache Tomcat is used, which allows remote, authenticated users to download arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue. (CVE-2011-1502) - An arbitrary file download vulnerability exists when Apache Tomcat or Oracle GlassFish is used. The XSL Content portlet allows remote, authenticated users to read arbitrary XSL / XML files via a file:/// URL. (CVE-2011-1503) - A cross-site scripting vulnerability exists, which allows remote, authenticated users to inject arbitrary JavaScript or HTML via a blog title. (CVE-2011-1504) - A cross-site scripting vulnerability exists when Apache Tomcat is used, which allows remote, authenticated users to inject arbitrary JavaScript or HTML via a message title. (CVE-2011-1570) - An unspecified vulnerability exists when Apache Tomcat is used. The XSL Content portlet allows remote attackers to execute arbitrary commands via unknown vectors. (CVE-2011-1571) Note that Nessus has not tested for these issues but has instead relied only on the application
last seen2020-06-01
modified2020-06-02
plugin id59230
published2012-05-22
reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/59230
titleLiferay Portal < 6.0.6 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(59230);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id(
    "CVE-2011-1502",
    "CVE-2011-1503",
    "CVE-2011-1504",
    "CVE-2011-1570",
    "CVE-2011-1571"
  );
  script_bugtraq_id(47082, 73497);
  script_xref(name:"EDB-ID", value:"18715");

  script_name(english:"Liferay Portal < 6.0.6 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of Liferay Portal.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a Java application that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the installation of
Liferay Portal hosted on the remote web server is affected by multiple
vulnerabilities :

  - An arbitrary file download vulnerability exists when
    Apache Tomcat is used, which allows remote,
    authenticated users to download arbitrary files via an
    entity declaration in conjunction with an entity
    reference, related to an XML External Entity (aka XXE)
    issue. (CVE-2011-1502)

  - An arbitrary file download vulnerability exists when
    Apache Tomcat or Oracle GlassFish is used. The XSL
    Content portlet allows remote, authenticated users to
    read arbitrary XSL / XML files via a file:/// URL.
    (CVE-2011-1503)

  - A cross-site scripting vulnerability exists, which
    allows remote, authenticated users to inject arbitrary
    JavaScript or HTML via a blog title. (CVE-2011-1504)

  - A cross-site scripting vulnerability exists when Apache
    Tomcat is used, which allows remote, authenticated users
    to inject arbitrary JavaScript or HTML via a message
    title. (CVE-2011-1570)

  - An unspecified vulnerability exists when Apache Tomcat
    is used. The XSL Content portlet allows remote attackers
    to execute arbitrary commands via unknown vectors.
    (CVE-2011-1571)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.openwall.com/lists/oss-security/2011/03/29/1");
  # https://issues.liferay.com/secure/ReleaseNote.jspa?version=10656&styleName=Html&projectId=10952
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7bdf9956");
  script_set_attribute(attribute:"see_also", value:"https://issues.liferay.com/browse/LPS-11506");
  script_set_attribute(attribute:"see_also", value:"https://issues.liferay.com/browse/LPS-12628");
  script_set_attribute(attribute:"see_also", value:"https://issues.liferay.com/browse/LPS-13250");
  script_set_attribute(attribute:"see_also", value:"https://issues.liferay.com/browse/LPS-14726");
  script_set_attribute(attribute:"see_also", value:"https://issues.liferay.com/browse/LPS-14927");
  script_set_attribute(attribute:"see_also", value:"http://xhe.myxwiki.org/xwiki/bin/view/XSLT/Application_Liferay");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Liferay Portal 6.0.6 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2011-1571");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/03/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/22");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:liferay:portal");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("liferay_detect.nasl");
  script_require_keys("www/liferay_portal");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80, 443, 8080);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http_func.inc");
include("webapp_func.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

# Get the ports that web servers have been found on, defaulting to
# what Liferay uses with Tomcat, their recommended bundle.
port = get_http_port(default:8080, embedded:TRUE);

# Get details of the Liferay Portal install.
install = get_install_from_kb(appname:"liferay_portal", port:port, exit_on_fail:TRUE);
dir = install["dir"];
ver = install["ver"];
url = build_url(port:port, qs:dir + "/");

if (ver == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, "Liferay Portal", url);

# Versions earlier than 6.0.6 are vulnerable.
fix = "6.0.6";
if (ver_compare(ver:ver, fix:fix, strict:FALSE) >= 0)
  audit(AUDIT_WEB_APP_NOT_AFFECTED, "Liferay Portal", url, ver);

set_kb_item(name:"www/" + port + "/XSS", value:TRUE);

# Report our findings.
report = NULL;
if (report_verbosity > 0)
{
  report =
    '\n  URL               : ' + url +
    '\n  Installed version : ' + ver +
    '\n  Fixed version     : ' + fix +
    '\n';
}

security_hole(port:port, extra:report);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/111651/liferay_xsl.rb.txt
idPACKETSTORM:111651
last seen2016-12-05
published2012-04-07
reporterNicolas Gregoire
sourcehttps://packetstormsecurity.com/files/111651/Liferay-XSL-Command-Execution.html
titleLiferay XSL Command Execution