Summary
Excerpt |
---|
Multiple Cross site scripting -Site Scripting (XSS) vulnerability on <s:url> and <s:a> tagsin XWork generated error pages |
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Injection of malicious client side code |
Maximum security rating | Important |
Recommendation | Developers using Struts 2 tags should immediately upgrade to Struts 2.2.3 |
Affected Software | Struts 2.0.0 - Struts 2.2.1.1 |
Original JIRA Tickets |
Problem
For both the <s:url> and the <s:a> tag, it is possible to inject parameter values that do not get escaped properly when the tag's resulting URLs are constructed and rendered. The following scenarios are known:
...
By default, XWork doesn't escapes action's names in automatically generated error page and this allow for successful XSS attack. When DMI is enabled, action's name is generated dynamically base on request parameters. Thus allow to call non-existing page and method to produce error page with injected code as below
http://localhost:8080/struts2-blank/home.action!login:cantLogin<script>alert(document.cookie)</script>=some_value
...
Solution
As of Struts 2.2.0.11.1
...
3
- Disable DMI support
- Define error page in struts.xml (as below)
<global-results>
<result name="error">/error_page.jsp</result>
</global-results>
<global-exception-mappings>
<exception-mapping exception="java.lang.Exception" result="error"/>
</global-exception-mappings>
...
You can obtain Struts 2.0.11.1 as a drop in replacement for Struts 2.0.11 to get the fixed Struts 2 core library2.3 here.