Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary


Excerpt

Cross site scripting (XSS) vulnerability on <s:url> and <s:a> tags



Who should read this

All Struts 2 developers

Impact of vulnerability

Injection of malicious client side code

Maximum security rating

Critical

Important

Recommendation

Developers using Struts 2 tags should immediately upgrade to Struts 2.

0.11

2.1

Affected Software

Struts 2.0.0 - Struts 2.

0

1.8.

11

1

Original JIRA Tickets

WW-2414, WW-2427

CVE IdentifierCVE-2008-6682

Problem

For both the <s:url> and the <s:a> tag, it is possible to inject parameter values that do not get escaped properly when the tag's resulting URLs are constructed and rendered. The following scenarios are known:

  • A parameter value included in the construction of a <s:a> result can inject an unescaped double quote, thus being able to inject code in the resulting HTML by escaping the rendered href attribute.
  • Both the <s:url> and the <s:a> tag fail to escape <script> tags when includeParams is set to any other value than "none", which can be exploited by calling the containing JSP/action with get GET parameter parameters such as http://localhost/foo/bar.action?Image Removed<script>alert(1)</script>test=hello

...

  • Double quotes do get escaped for parameter values used to constuct the output of a <s:a> tag
  • <script> tokens do get recursively escaped for parameter values used to contruct the output of <s:a> and <s:url> tags You can obtain the Struts

Later findings revealed that 2.0.11.1

...

does not fix the issue properly.

Minimum required version fixing this particular issue: 2.2.1