Novell Teaming Cross-Site Scripting Vulnerability fix

  • 7002999
  • 14-Apr-2009
  • 27-Apr-2012

Environment

Products:
Novell Teaming 1.0
Novell Teaming 1.0 Support Pack 1
Novell Teaming 1.0 Support Pack 2
Novell Teaming 1.0 Support Pack 3
Novell Teaming + Conferencing
Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Server 10 Support Pack 1
Windows 2003 Server
 
Configuration:
Novell Teaming is installed correctly.

Situation

Novell Teaming, through the Liferay 4.3.0 portal, is vulnerable to Cross-site Scripting attacks which can allow an attacker to cause execution of malicious scripting code in the browser of an end-user, resulting in a persistent defacement of the target site, or the redirection of confidential information to unauthorized third parties.

Resolution

The Liferay 4.3.0 portal is vulnerable to Cross-site scripting attacks which can allow an attacker to cause execution of malicious scripting code in the browser of an end-user, resulting in a persistent defacement of the target site, or the redirection of confidential information to unauthorized third parties.

Proposed Solutions

Solution One:
The preferred solution is to wait until the release of Novell Teaming 2.x which no longer requires the Liferay portal and does not have the Cross-site scripting issue. Teaming 2.x can be used in connection with later versions of Liferay, which also do not have the Cross-site scripting issues, if a portal solution is still desired.

Solution Two:
Upgrade the Liferay 4.3.0 that is integrated with Teaming 1.x to the Liferay 4.3.6 portal containing the fixes to the reported problem. The following describes the steps for updating Teaming 1.0.3. installation with Liferay 4.3.6.

  • Shutdown Teaming.

  • Verify the last complete backup of Teaming, including both Liferay (lportal) and Teaming (sitescape) databases, and the file resources in icecoredata area.

  • Make a complete backup copy of the entire Teaming 1.0.3 Tomcat directory. In the rest of this document, it will refer to this backup copy as <backup tomcat>, and the original one as <tomcat>.

  • Download Liferay 4.3.6 WAR file from sourceforge site.
    The URL is:
    http://downloads.sourceforge.net/lportal/liferay-portal-4.3.6.war
    Also download Liferay portal dependencies 4.3.6 zip file from the URL:
    http://downloads.sourceforge.net/lportal/liferay-portal-dependencies-4.3.6.zip
    Alternatively, you can go to:
    http://sourceforge.net/project/showfiles.php?group_id=49260&package_id=42607
    and browse to liferay-portal-4.3.6.war and liferay-portal-dependencies-4.3.6.zip files.

  • Unzip the downloaded dependencies file (liferay-portal-dependencies-4.3.6.zip) into <tomcat>/common/lib/ext, overwriting the ones already in that directory.

  • Delete everything in <tomcat>/webapps/ROOT (that is, make the directory empty), then unzip the downloaded war file (liferay-portal-4.3.6.war.) into <tomcat>/webapps/ROOT.

  • Delete <tomcat>/work/Catalina/localhost/_ directory completely.

  • Copy <backup tomcat>/webapps/ROOT/html/portal/terms_of_use.jsp to <tomcat>/webapps/ROOT/html/portal.

  • Copy ICEcore, Novell, Novellblue, Novellgrey, and Novellwhite directories from <backup tomcat>/webapps/ROOT/html/themes into <tomcat>/webapps/ROOT/html/themes.

  • Open <tomcat>/webapps/ROOT/html/themes/_unstyled/templates/init.vm in a text editor and locate the following line:

    #set ($show_sign_in = $theme_display.isShowSignInIcon())

    Replace it with the following line:

    #set ( $show_sign_in = $theme_display.isShowSignInIcon() && !($propsUtil.containsKey("ss.hide.signin.link") && $propsUtil.get("ss.hide.signin.link").equalsIgnoreCase("true")) )

  • Open <tomcat>/webapps/ROOT/html/themes/classic/templates/dock.vm in a text editor, and insert the following javascript text at the beginning of the file:

<script type="text/javascript">
function ss_logoff() {
     var x = "$propsUtil.get("ss.sso.logoff.url")";
     var y = "$theme_display.getURLSignOut()";
     if(x == null || x == "") {
          self.location.href="$theme_display.getURLSignOut()"
     } else {
          ss_logoff_from_liferay_then_sso()
     }
}
function ss_logoff_from_liferay_then_sso() {
     callbackRoutine = ss_logoff_from_sso
     var x;

     if (window.XMLHttpRequest) {
     x = new XMLHttpRequest();
     } else if (window.ActiveXObject) {
     x = new ActiveXObject("Microsoft.XMLHTTP");
     }

     var liferaySignOutURL="$theme_display.getURLSignOut()"

     x.open("GET", liferaySignOutURL, true);
     x.onreadystatechange = function() {
          if (x.readyState != 4) {
               return;
          }
          if (x.status == 200) {
               callbackRoutine(x.responseText) 
          } else {
               //alert(x.status + " \n" + x.statusText)
               callbackRoutine(x.statusText)
          }
     }
     x.send(null);
     delete x;
}
function ss_logoff_from_sso(s) {
     self.location.href="$propsUtil.get("ss.sso.logoff.url")"
}
</script>

  • Also in the <tomcat>/webapps/ROOT/html/themes/classic/templates/dock.vm , locate the line that looks like the following:

    <a href="$sign_out_url">$sign_out_text</a>

    Replace the above line with the following line:

    <a href="javascript: ;" onClick="ss_logoff();return false;">$sign_out_text</a>
  • Copy liferay-display.xml, and struts-config-ext.xml from <backup tomcat>/webapps/ROOT/WEB-INF to <tomcat>/webapps/ROOT/WEB-INF, overwriting the existing files.

  • Open <tomcat>/webapps/ROOT/WEB-INF/liferay-look-and-feel.xml in a text editor, and append the following by inserting it immediately before the closing </look-and-feel> tag.

<theme id="Novellblue" name="Novell Blue">
     <root-path>/html/themes/${theme-id}</root-path>
     <template-extension>vm</template-extension>
</theme>
<theme id="Novellgrey" name="Novell Grey">
     <root-path>/html/themes/${theme-id}</root-path>
     <template-extension>vm</template-extension>
</theme>
<theme id="Novellwhite" name="Novell White">
     <root-path>/html/themes/${theme-id}</root-path>
     <template-extension>vm</template-extension>
</theme>
<theme id="mobile" name="Mobile">
     <root-path>/wap/themes/${theme-id}</root-path>
     <wap-theme>true</wap-theme>
</theme>

  • Open <tomcat>/webapps/ROOT/WEB-INF/web.xml in a text editor. Locate <session-timeout> element and change its value to match the corresponding value in <backup tomcat>/webapps/ROOT/WEB-INF/web.xml.

  • Copy cache-multi-vm-ext.properties, portal-ext.properties, and system-ext.properties from <backup tomcat>/webapps/ROOT/WEB-INF/classes into <tomcat>/webapps/ROOT/WEB-INF/classes.

  • Open <tomcat>/webapps/ROOT/WEB-INF/classes/portal-ext.properties in a text editor, and append the following set of properties to it.

company.security.auth.type=screenName

users.screen.name.validator=com.sitescape.team.liferay.security.auth.ScreenNameValidator

omniadmin.users=2

session.timeout.warning=10

ldap.base.provider.url=ldap://localhost:389

ldap.security.principal=cn=admin,ou=system

ldap.auth.search.filter=(cn=@screen_name@)

ldap.export.enabled=false

auth.pipeline.pre=com.sitescape.team.liferay.security.auth.LDAPAuth

auth.forward.by.last.path=false

auto.login.hooks=com.liferay.portal.security.auth.CASAutoLogin,com.liferay.portal.security.auth.NtlmAutoLogin,com.liferay.portal.security.auth.OpenIdAutoLogin,com.liferay.portal.security.auth.OpenSSOAutoLogin,com.liferay.portal.security.auth.RememberMeAutoLogin,com.sitescape.team.liferay.security.auth.sso.AuthorizationHTTPHeaderLDAPAutoLogin,com.sitescape.team.liferay.security.auth.sso.BasicAuthCredentialsLDAPAutoLogin

passwords.passwordpolicytoolkit.generator=dynamic

login.events.post=com.sitescape.team.liferay.events.LoginPostAction,com.liferay.portal.events.LoginPostAction,com.liferay.portal.events.DefaultLandingPageAction

default.guest.layout.template.id=1_column

default.guest.layout.column-1=58,48_INSTANCE_1XQI,

default.guest.layout.column-2=

default.user.layout.column-1=ss_welcome_WAR_ssf_INSTANCE_wXyZ,ss_presence_WAR_ssf_INSTANCE_wXyZ,

default.user.layout.column-2=ss_toolbar_WAR_ssf_INSTANCE_wXyZ,ss_forum_WAR_ssf_INSTANCE_wXyZ,

field.enable.com.liferay.portal.model.Contact.male=false

field.enable.com.liferay.portal.model.Contact.birthday=false

admin.default.group.names=Guest

admin.email.user.added.enabled=false

admin.email.password.sent.enabled=false

calendar.email.event.reminder.enabled=false

message.boards.email.message.added.enabled=false

message.boards.email.message.updated.enabled=false

shopping.email.order.confirmation.enabled=false

shopping.email.order.shipping.enabled=false

  • Copy <backup tomcat>/webapps/ROOT/WEB-INF/classes/content/Language-ext.properties file into <tomcat>/webapps/ROOT/WEB-INF/classes/content. If the "content" directory does not exist, create it.

    Note: Teaming 1.0.3 ships with enhanced Language properties files specifically for Liferay 4.3.0. The same is not available for other versions of Liferay. So after upgrade, users may experience different translation quality when running with a later version of Liferay.

  • Copy ssf-liferay.jar, ssf-liferay-c.jar (if exists), and ssf-portalmodule.jar files from <backup tomcat>/webapps/ROOT/WEB-INF/lib into <tomcat>/webapps/ROOT/WEB-INF/lib.

    Note: It is important that, after upgrade, the name of the <tomcat> directory must remain the same as before the upgrade. In other words, it must remain as liferay-portal-tomcat-5.5-jdk5-4.3.0, even if the Liferay version number in the directory path could be mis-leading. This is so that the existing installer program can locate the installation area without having to manually tweak it with the changed name. Also, this allows the existing service setups (init.d on Linux and Windows Service on Windows system) to continue to operate.

  • Start Teaming.

    Note: The first startup after upgrade will produce a lot of warning messages. Especially messages with the following pattern:

    WARN [DBUtil:350] The operation failed because an index or statistics with name ...

    Ignore these warning messages.

    Note: After upgrade, the Teaming 1.0.3 installer must be used to re-configure the system. As always, go to the directory in which Teaming 1.0.3 installer program is located and make sure that the correct installer.xml is in the directory. After upgrading to Liferay 4.3.6, the only option that can be used safely in the installer program is the Reconfigure option. NEVER select Upgrade option. If the Upgrade option is used, it will wipe out all the Liferay upgrade work done so far and may leave the system in a broken state.

Status

Security Alert

Bug Number

478254

Additional Information

Security risk: Low to Medium
 
Discovered and reported by: Konstantin Baurer and Michael Kirchner – SEC Consult Vulnerability Lab (http://www.sec-consult.com), CVE-2009-1294