Summary
Multiple Cross-Site Scripting (XSS) in XWork generated error pages
Who should read this |
All Struts 2 developers |
---|---|
Impact of vulnerability |
Injection of malicious client side code |
Maximum security rating |
Important |
Recommendation |
Developers using Struts 2 tags should immediately upgrade to Struts 2.2.3 |
Affected Software |
Struts 2.0.0 - Struts 2.2.1.1 |
Original JIRA Tickets |
Problem
By default, XWork doesn't escapes action's names in automatically generated error page and this allow for successful XSS attack. When DMI is enabled, action's name is generated dynamically base on request parameters. Thus allow to call non-existing page and method to produce error page with injected code as below
http://localhost:8080/struts2-blank/home.action!login:cantLogin<script>alert(document.cookie)</script>=some_value
Solution
As of Struts 2.2.3
- Disable DMI support
- Define error page in struts.xml (as below)
<global-results>
<result name="error">/error_page.jsp</result>
</global-results>
<global-exception-mappings>
<exception-mapping exception="java.lang.Exception" result="error"/>
</global-exception-mappings>
You can obtain Struts 2.2.3 here.