Environment
Situation
Resolution
The Liferay 4.3.0 portal is vulnerable to Cross-site scripting attacks which can allow an attacker to cause execution of malicious scripting code in the browser of an end-user, resulting in a persistent defacement of the target site, or the redirection of confidential information to unauthorized third parties.
Proposed Solutions
Solution One:
The preferred solution is to wait until the release of Novell Teaming 2.x which no longer requires the Liferay portal and does not have the Cross-site scripting issue. Teaming 2.x can be used in connection with later versions of Liferay, which also do not have the Cross-site scripting issues, if a portal solution is still desired.
Solution Two:
Upgrade the Liferay 4.3.0 that is integrated with Teaming 1.x to the Liferay 4.3.6 portal containing the fixes to the reported problem. The following describes the steps for updating Teaming 1.0.3. installation with Liferay 4.3.6.
- Shutdown Teaming.
- Verify the last complete backup of Teaming, including both Liferay (lportal) and Teaming (sitescape) databases, and the file resources in icecoredata area.
- Make a complete backup copy of the entire Teaming 1.0.3 Tomcat directory. In the rest of this document, it will refer to this backup copy as <backup tomcat>, and the original one as <tomcat>.
- Download Liferay 4.3.6 WAR file from sourceforge site.
The URL is:
http://downloads.sourceforge.net/lportal/liferay-portal-4.3.6.war
Also download Liferay portal dependencies 4.3.6 zip file from the URL:
http://downloads.sourceforge.net/lportal/liferay-portal-dependencies-4.3.6.zip
Alternatively, you can go to:
http://sourceforge.net/project/showfiles.php?group_id=49260&package_id=42607
and browse to liferay-portal-4.3.6.war and liferay-portal-dependencies-4.3.6.zip files. - Unzip the downloaded dependencies file (liferay-portal-dependencies-4.3.6.zip) into <tomcat>/common/lib/ext, overwriting the ones already in that directory.
- Delete everything in <tomcat>/webapps/ROOT (that is, make the directory empty), then unzip the downloaded war file (liferay-portal-4.3.6.war.) into <tomcat>/webapps/ROOT.
- Delete <tomcat>/work/Catalina/localhost/_ directory completely.
- Copy <backup tomcat>/webapps/ROOT/html/portal/terms_of_use.jsp to <tomcat>/webapps/ROOT/html/portal.
- Copy ICEcore, Novell, Novellblue, Novellgrey, and Novellwhite directories from <backup tomcat>/webapps/ROOT/html/themes into <tomcat>/webapps/ROOT/html/themes.
- Open <tomcat>/webapps/ROOT/html/themes/_unstyled/templates/init.vm in a text editor and locate the following line:
#set ($show_sign_in = $theme_display.isShowSignInIcon())
Replace it with the following line:
#set ( $show_sign_in = $theme_display.isShowSignInIcon() && !($propsUtil.containsKey("ss.hide.signin.link") && $propsUtil.get("ss.hide.signin.link").equalsIgnoreCase("true")) ) - Open <tomcat>/webapps/ROOT/html/themes/classic/templates/dock.vm in a text editor, and insert the following javascript text at the beginning of the file:
<script type="text/javascript">
function ss_logoff() {
var x = "$propsUtil.get("ss.sso.logoff.url")";
var y = "$theme_display.getURLSignOut()";
if(x == null || x == "") {
self.location.href="$theme_display.getURLSignOut()"
} else {
ss_logoff_from_liferay_then_sso()
}
}
function ss_logoff_from_liferay_then_sso() {
callbackRoutine = ss_logoff_from_sso
var x;
if (window.XMLHttpRequest) {
x = new XMLHttpRequest();
} else if (window.ActiveXObject) {
x = new ActiveXObject("Microsoft.XMLHTTP");
}
var liferaySignOutURL="$theme_display.getURLSignOut()"
x.open("GET", liferaySignOutURL, true);
x.onreadystatechange = function() {
if (x.readyState != 4) {
return;
}
if (x.status == 200) {
callbackRoutine(x.responseText)
} else {
//alert(x.status + " \n" + x.statusText)
callbackRoutine(x.statusText)
}
}
x.send(null);
delete x;
}
function ss_logoff_from_sso(s) {
self.location.href="$propsUtil.get("ss.sso.logoff.url")"
}
</script>
- Also in the <tomcat>/webapps/ROOT/html/themes/classic/templates/dock.vm , locate the line that looks like the following:
<a href="$sign_out_url">$sign_out_text</a>
Replace the above line with the following line:
<a href="javascript: ;" onClick="ss_logoff();return false;">$sign_out_text</a> - Copy liferay-display.xml, and struts-config-ext.xml from <backup tomcat>/webapps/ROOT/WEB-INF to <tomcat>/webapps/ROOT/WEB-INF, overwriting the existing files.
- Open <tomcat>/webapps/ROOT/WEB-INF/liferay-look-and-feel.xml in a text editor, and append the following by inserting it immediately before the closing </look-and-feel> tag.
<theme id="Novellblue" name="Novell Blue">
<root-path>/html/themes/${theme-id}</root-path>
<template-extension>vm</template-extension>
</theme>
<theme id="Novellgrey" name="Novell Grey">
<root-path>/html/themes/${theme-id}</root-path>
<template-extension>vm</template-extension>
</theme>
<theme id="Novellwhite" name="Novell White">
<root-path>/html/themes/${theme-id}</root-path>
<template-extension>vm</template-extension>
</theme>
<theme id="mobile" name="Mobile">
<root-path>/wap/themes/${theme-id}</root-path>
<wap-theme>true</wap-theme>
</theme>
- Open <tomcat>/webapps/ROOT/WEB-INF/web.xml in a text editor. Locate <session-timeout> element and change its value to match the corresponding value in <backup tomcat>/webapps/ROOT/WEB-INF/web.xml.
- Copy cache-multi-vm-ext.properties, portal-ext.properties, and system-ext.properties from <backup tomcat>/webapps/ROOT/WEB-INF/classes into <tomcat>/webapps/ROOT/WEB-INF/classes.
- Open <tomcat>/webapps/ROOT/WEB-INF/classes/portal-ext.properties in a text editor, and append the following set of properties to it.
company.security.auth.type=screenName
users.screen.name.validator=com.sitescape.team.liferay.security.auth.ScreenNameValidator
omniadmin.users=2
session.timeout.warning=10
ldap.base.provider.url=ldap://localhost:389
ldap.security.principal=cn=admin,ou=system
ldap.auth.search.filter=(cn=@screen_name@)
ldap.export.enabled=false
auth.pipeline.pre=com.sitescape.team.liferay.security.auth.LDAPAuth
auth.forward.by.last.path=false
auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin,com.liferay.portal.security.auth.NtlmAutoLogin,com.liferay.portal.security.auth.OpenIdAutoLogin,com.liferay.portal.security.auth.OpenSSOAutoLogin,com.liferay.portal.security.auth.RememberMeAutoLogin,com.sitescape.team.liferay.security.auth.sso.AuthorizationHTTPHeaderLDAPAutoLogin,com.sitescape.team.liferay.security.auth.sso.BasicAuthCredentialsLDAPAutoLogin
passwords.passwordpolicytoolkit.generator=dynamic
login.events.post=com.sitescape.team.liferay.events.LoginPostAction,com.liferay.portal.events.LoginPostAction,com.liferay.portal.events.DefaultLandingPageAction
default.guest.layout.template.id=1_column
default.guest.layout.column-1=58,48_INSTANCE_1XQI,
default.guest.layout.column-2=
default.user.layout.column-1=ss_welcome_WAR_ssf_INSTANCE_wXyZ,ss_presence_WAR_ssf_INSTANCE_wXyZ,
default.user.layout.column-2=ss_toolbar_WAR_ssf_INSTANCE_wXyZ,ss_forum_WAR_ssf_INSTANCE_wXyZ,
field.enable.com.liferay.portal.model.Contact.male=false
field.enable.com.liferay.portal.model.Contact.birthday=false
admin.default.group.names=Guest
admin.email.user.added.enabled=false
admin.email.password.sent.enabled=false
calendar.email.event.reminder.enabled=false
message.boards.email.message.added.enabled=false
message.boards.email.message.updated.enabled=false
shopping.email.order.confirmation.enabled=false
shopping.email.order.shipping.enabled=false
- Copy <backup tomcat>/webapps/ROOT/WEB-INF/classes/content/Language-ext.properties file into <tomcat>/webapps/ROOT/WEB-INF/classes/content. If the "content" directory does not exist, create it.
Note: Teaming 1.0.3 ships with enhanced Language properties files specifically for Liferay 4.3.0. The same is not available for other versions of Liferay. So after upgrade, users may experience different translation quality when running with a later version of Liferay. - Copy ssf-liferay.jar, ssf-liferay-c.jar (if exists), and ssf-portalmodule.jar files from <backup tomcat>/webapps/ROOT/WEB-INF/lib into <tomcat>/webapps/ROOT/WEB-INF/lib.
Note: It is important that, after upgrade, the name of the <tomcat> directory must remain the same as before the upgrade. In other words, it must remain as liferay-portal-tomcat-5.5-jdk5-4.3.0, even if the Liferay version number in the directory path could be mis-leading. This is so that the existing installer program can locate the installation area without having to manually tweak it with the changed name. Also, this allows the existing service setups (init.d on Linux and Windows Service on Windows system) to continue to operate. - Start Teaming.
Note: The first startup after upgrade will produce a lot of warning messages. Especially messages with the following pattern:
WARN [DBUtil:350] The operation failed because an index or statistics with name ...
Ignore these warning messages.
Note: After upgrade, the Teaming 1.0.3 installer must be used to re-configure the system. As always, go to the directory in which Teaming 1.0.3 installer program is located and make sure that the correct installer.xml is in the directory. After upgrading to Liferay 4.3.6, the only option that can be used safely in the installer program is the Reconfigure option. NEVER select Upgrade option. If the Upgrade option is used, it will wipe out all the Liferay upgrade work done so far and may leave the system in a broken state.