struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject svn commit: r963024 - /websites/production/struts/content/docs/s2-025.html
Date Tue, 25 Aug 2015 09:08:38 GMT
Author: lukaszlenart
Date: Tue Aug 25 09:08:37 2015
New Revision: 963024

Log:
Updates production

Modified:
    websites/production/struts/content/docs/s2-025.html

Modified: websites/production/struts/content/docs/s2-025.html
==============================================================================
--- websites/production/struts/content/docs/s2-025.html (original)
+++ websites/production/struts/content/docs/s2-025.html Tue Aug 25 09:08:37 2015
@@ -125,7 +125,7 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h2 id="S2-025-Summary">Summary</h2>Cross-Site
Scripting Vulnerability in Debug Mode<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p><span>A</span><span>ffects
of a cross-site scripting vulnerability </span>when debug mode is switched on in production
environment.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum
security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Turn off debug mode in production
environment. An upgr
 ade to <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts2320">Struts
2.3.20</a> is recommended.</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.16.3</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">Taki
Uchiyama, JPCERT/CC</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>CVE-2015-5169</p></td></tr></tbody></table></div><h2
id="S2-025-Problem">Problem</h2><p>When the Struts2 debug mode is turned on,
under certain conditions&#160;an arbitrary&#160;script may be executed in the 'Problem
Report' screen.</p><h2 id="S2-025-Solution">Solution</h2><p>It is
g
 enerally not advisable to have debug mode switched on outside of the development environment.
Debug mode should always be turned off in production setup. Also never expose JSPs files directly
and hide them inside&#160;<code>WEB-INF</code> folder or define dedicated
security constraints to block access to raw JSP files.&#160;Please also ready our&#160;<a
shape="rect" href="security.html">Security</a>&#160;guide - it contains useful
informations how to secure your application.</p><p>Struts &gt;= 2.3.20 is
not vulnerable to this attack. We recommend upgrading to Struts 2.3.20 or higher.</p><h2
id="S2-025-Backwardcompatibility">Backward compatibility</h2><p>No backward
compatibility problems are expected.</p><h2 id="S2-025-Workaround">Workaround</h2><h2
id="S2-025-UpgradetoStruts2.3.20"><span style="font-size: 14.0px;line-height: 20.0px;">Upgrade
to Struts 2.3.20</span></h2><p><span style="font-size: 14.0px;line-height:
1.4285715;"><br clear="none"></span></p></div>
+            <div id="ConfluenceContent"><h2 id="S2-025-Summary">Summary</h2>Cross-Site
Scripting Vulnerability in Debug Mode<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p><span>A</span><span>ffects
of a cross-site scripting vulnerability </span>when debug mode is switched on in production
environment.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum
security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Turn off debug mode in production
environment. An upgr
 ade to <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts2320">Struts
2.3.20</a> is recommended.</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.16.3</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">Taki
Uchiyama, JPCERT/CC</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>CVE-2015-5169</p></td></tr></tbody></table></div><h2
id="S2-025-Problem">Problem</h2><p>When the Struts2 debug mode is turned on,
under certain conditions&#160;an arbitrary&#160;script may be executed in the 'Problem
Report' screen.</p><h2 id="S2-025-Solution">Solution</h2><p>It is
g
 enerally not advisable to have debug mode switched on outside of the development environment.
Debug mode should always be turned off in production setup. Also never expose JSPs files directly
and hide them inside&#160;<code>WEB-INF</code> folder or define dedicated
security constraints to block access to raw JSP files.&#160;Please also ready our&#160;<a
shape="rect" href="security.html">Security</a>&#160;guide - it contains useful
informations how to secure your application.</p><p>Struts &gt;= 2.3.20 is
not vulnerable to this attack. We recommend upgrading to Struts 2.3.20 or higher.</p><h2
id="S2-025-Backwardcompatibility">Backward compatibility</h2><p>No backward
compatibility problems are expected.</p><h2 id="S2-025-Workaround">Workaround</h2><p>Upgrade
to Struts 2.3.20</p><p><span style="font-size: 14.0px;line-height: 1.4285715;"><br
clear="none"></span></p></div>
         </div>
 
         



Mime
View raw message