...
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Injection of malicious client side code |
Maximum security rating | Important |
Recommendation | Developers using Struts 2 tags should immediately upgrade to Struts 2.2.3 |
Affected Software | Struts 2.0.0 - Struts 2.2.1.1 |
Original JIRA Tickets |
Problem
By default, XWork doesn't escapes action's names in automatically generated error page and this allow for successful XSS attack. When DMI is enabled, action's name is generated dynamically base on request parameters. Thus allow to call non-existing page and method to produce error page with injected code as below
...
<global-exception-mappings>
<exception-mapping exception="java.lang.Exception" result="error"/>
</global-exception-mappings>
You can obtain Struts 2.2.3 here.