Return-Path: 
 <issues-return-27267-apmail-struts-issues-archive=struts.apache.org@struts.apache.org>
X-Original-To: apmail-struts-issues-archive@minotaur.apache.org
Delivered-To: apmail-struts-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 5540C18ED9
	for <apmail-struts-issues-archive@minotaur.apache.org>;
 Fri,  4 Mar 2016 05:38:41 +0000 (UTC)
Received: (qmail 52738 invoked by uid 500); 4 Mar 2016 05:38:41 -0000
Delivered-To: apmail-struts-issues-archive@struts.apache.org
Received: (qmail 52679 invoked by uid 500); 4 Mar 2016 05:38:41 -0000
Mailing-List: contact issues-help@struts.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@struts.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@struts.apache.org>
List-Post: <mailto:issues@struts.apache.org>
List-Id: <issues.struts.apache.org>
Reply-To: dev@struts.apache.org
Delivered-To: mailing list issues@struts.apache.org
Received: (qmail 52639 invoked by uid 99); 4 Mar 2016 05:38:40 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Mar 2016 05:38:40 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id B94B32C1F58
	for <issues@struts.apache.org>; Fri,  4 Mar 2016 05:38:40 +0000 (UTC)
Date: Fri, 4 Mar 2016 05:38:40 +0000 (UTC)
From: "Lukasz Lenart (JIRA)" <jira@apache.org>
To: issues@struts.apache.org
Message-ID: <JIRA.12833463.1432827212000.2642.1457069920755@Atlassian.JIRA>
In-Reply-To: <JIRA.12833463.1432827212000@Atlassian.JIRA>
References: <JIRA.12833463.1432827212000@Atlassian.JIRA>
 <JIRA.12833463.1432827212485@arcas>
Subject: [jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with
 <s:textfield>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15179365#comment-15179365 ] 

Lukasz Lenart commented on WW-4507:
-----------------------------------

Great, thanks!

> Struts 2 XSS vulnerability with <s:textfield>
> ---------------------------------------------
>
>                 Key: WW-4507
>                 URL: https://issues.apache.org/jira/browse/WW-4507
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.16.3
>         Environment: Operating System:  Windows 7.  Application Server:  JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 2.3.16.3.  Browser:  FireFox 38.0.1
>            Reporter: brian neisen
>            Assignee: Rene Gielen
>              Labels: struts2, vulnerability, xss
>             Fix For: 2.3.25, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the <s:textfield> tag.   When loading a url in a browser with some param name, in this case "myinput", and the jsp being loaded has the tag <s:textfield name="myinput" id="myinput"></s:textfield>, an alert message is popped open in the browser- which is WhiteHat's method of showing the vulnerability.  Example url is: [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)