struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4625) Struts 2 XSS vulnerability with <s:textfield> when <s:include> is used.
Date Sat, 07 May 2016 05:02:12 GMT

    [ https://issues.apache.org/jira/browse/WW-4625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15275086#comment-15275086
] 

Lukasz Lenart commented on WW-4625:
-----------------------------------

I don't think we can do anything about that, I would just prepare announcement about using
the latest JRE and using UTF-8 encoding everywehere

> Struts 2 XSS vulnerability with <s:textfield> when <s:include> is used.
> -----------------------------------------------------------------------
>
>                 Key: WW-4625
>                 URL: https://issues.apache.org/jira/browse/WW-4625
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.24, 2.3.28
>         Environment: Operating System: Windows 7(N/A).
> Application Server: Tomcat 6(any server running on JRE1.6 or before JRE).
> Java: jdk1.5.0.11.
> Developloment Framework: Struts 2.3.28, 2.3.24.1.
> Browser: FireFox 38.0.1.
>            Reporter: Naozumi Taromaru
>              Labels: struts2, vulnerability, xss
>             Fix For: 2.3.29
>
>
> <s:include> tag and JspTemplateEngine use
> org.apache.struts2.components.Include#include.
> (I use <s:include> tag.)
> The included page is encoded by response character encoding(default is ISO-8859-1(ServletResponse)).
> But encoded result is decoded by 'request' character encoding(default is UTF-8(@Inject(StrutsConstants.STRUTS_I18N_ENCODING))).
> org.apache.struts2.components.Include use wrong character encoding.
> If request and response character encoding are specifically configured to same character
encoding,
> there are no problems.
> However, if request and response character encoding are not specifically configured,
> (or <%@ page contentType="text/html; charset=ISO-8859-1" %> is written in JSP only,)
> the included page is encoded by ISO-8859-1 and decoded by UTF-8.
> By using old decoding rule of UTF-8(enable on JRE1.5.0_16 or before and JRE1.6.0_10 or
before),
> XSS vulnerability occurs, even if input value is sanitized when output as <s:textfield>.
> Please refer to description of WW-4507 for sample attack parameter information.
> Please refer to my comment written in WW-4507 for more analysis information.
> P.S.
> I'm thinking WW-4507(S2-028) has been caused by this.
> (WW-4507(S2-028) is not fixed in 2.3.28.)
> But if it's different, please show the hidden reproduction condition to WW-4507.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message