You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Summary

Multiple Cross-Site Scripting (XSS) in XWork generated error pages

Who should read this

All Struts 2 developers

Impact of vulnerability

Injection of malicious client side code

Maximum security rating

Important

Recommendation

Developers using Struts 2 tags should immediately upgrade to Struts 2.2.3

Affected Software

Struts 2.0.0 - Struts 2.2.1.1

Original JIRA Tickets

WW-2414,WW-2427

Problem

By default, XWork doesn't escapes action's names in automatically generated error page and this allow for successful XSS attack. When DMI is enabled, action's name is generated dynamically base on request parameters. Thus allow to call non-existing page and method to produce error page with injected code as below

http://localhost:8080/struts2-blank/home.action!login:cantLogin<script>alert(document.cookie)</script>=some_value

Solution

As of Struts 2.2.3

  • Disable DMI support
  • Define error page in struts.xml (as below)

<global-results>
<result name="error">/error_page.jsp</result>
</global-results>

<global-exception-mappings>
<exception-mapping exception="java.lang.Exception" result="error"/>
</global-exception-mappings>

You can obtain Struts 2.2.3 here.

  • No labels