Summary
Excerpt |
---|
Possible XSS vulnerability in |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible |
Remote Code Execution |
Maximum security rating |
---|
Moderate |
Recommendation |
---|
Locale
object constructed by I18NInterceptor
as it may contain user specific string which may leads to XSS vulnerability. Alternatively upgrade to Always validate type and content of uploaded files, do not expose them directly in your web application. Alternatively upgrade to Struts 2.3.20.3, Struts 2.3.24.3 or Struts 2.3.28.1. | |
Affected Software | Struts 2.0.0 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24. |
---|
3) |
Reporter |
---|
GENXOR - genxors at gmail dot com - Qihoo 360 SkyEye Lab | |
CVE Identifier | CVE-2016- |
---|
3082 |
Problem
The Apache Struts framework uses I18NInterceptor
to allow users and developers switch language used in the framework and an application built on top of it. The problem is that the interceptor doesn't perform any validation of the user input and accept arbitrary string which can be used by a developer to display language selected by the user. However, the framework doesn't expose the value directly in UI.
Solution
XSLTResult
allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code.
Solution
Always validate type and content of uploaded files. We encourage you to upgrade to one of the versions of the Apache Struts presented above.If you want present language selected by user based on I18NInterceptor
always escape the string before presenting it to the user. Alternatively upgrade to Struts 2.3.28.
Backward compatibility
No issues expected when upgrading to Struts 2.3.20.3, 2.3.24.3 and 2.3.28.1
Workaround
When needed you can use StringEscapeUtils from the Apache Commons to escape the string.Implement your own XSLTResult
based on code of the recommended versions.