In gb_liferay_detect.nasl
the version grabbing regex pattern "Liferay-Portal: (Liferay ([^0-9]+)([0-9.]+))( (CE|EE|DE|DXP))?( ([GA0-9]+))?"
has trouble parsing Liferay server headers that do not advertise any version (something that can be optionnaly set in a config element https://liferay.dev/forums/-/message_boards/message/68326822).
The current regex causes the grab to wrap over other HTTP headers resulting in the “version” including arbitrary data.
Example of a header causing this:
HTTP/1.1 200
Server: apache
Date: Mon, 22 Jun 2022 20:23:52 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 1234
Connection: keep-alive
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
Liferay-Portal: Liferay Digital Experience Platform
ETag: “0”
Strict-Transport-Security: max-age=3600
This will result in a match up to the "0
from the ETag
header, and thus the version grabbed will include HSTS header data (typically here it’ll end up being 3600).
The problematic part in the regex is probably [^0-9]+
that seem to include the newline of HTTP headers (probably because it’s different than the OS POSIX newline?) and results in multiline match.
It probably can be changed for a more restrictive match, for instance [a-zA-Z ]+
that would work equally well for current cases.