Versions Compared

Old Version 2

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version 3

changes.mady.by.user Lukasz Lenart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Who should read this

All Struts 2 developers

Impact of vulnerability

Injection of malicious client side code

Maximum security rating

Important

Recommendation

Developers using Struts 2 tags should immediately upgrade to Struts 2.2.3

Affected Software

Struts 2.0.0 - Struts 2.2.1.1

Original JIRA Tickets

WW-2414,WW-24273579

Problem

By default, XWork doesn't escapes action's names in automatically generated error page and this allow for successful XSS attack. When DMI is enabled, action's name is generated dynamically base on request parameters. Thus allow to call non-existing page and method to produce error page with injected code as below

...

<global-exception-mappings>
<exception-mapping exception="java.lang.Exception" result="error"/>
</global-exception-mappings>

You can obtain Struts 2.2.3 here.