struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <>
Subject [jira] [Commented] (WW-4625) Struts 2 XSS vulnerability with <s:textfield> when <s:include> is used.
Date Sat, 07 May 2016 05:02:12 GMT


Lukasz Lenart commented on WW-4625:

I don't think we can do anything about that, I would just prepare announcement about using
the latest JRE and using UTF-8 encoding everywehere

> Struts 2 XSS vulnerability with <s:textfield> when <s:include> is used.
> -----------------------------------------------------------------------
>                 Key: WW-4625
>                 URL:
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.24, 2.3.28
>         Environment: Operating System: Windows 7(N/A).
> Application Server: Tomcat 6(any server running on JRE1.6 or before JRE).
> Java: jdk1.5.0.11.
> Developloment Framework: Struts 2.3.28,
> Browser: FireFox 38.0.1.
>            Reporter: Naozumi Taromaru
>              Labels: struts2, vulnerability, xss
>             Fix For: 2.3.29
> <s:include> tag and JspTemplateEngine use
> org.apache.struts2.components.Include#include.
> (I use <s:include> tag.)
> The included page is encoded by response character encoding(default is ISO-8859-1(ServletResponse)).
> But encoded result is decoded by 'request' character encoding(default is UTF-8(@Inject(StrutsConstants.STRUTS_I18N_ENCODING))).
> org.apache.struts2.components.Include use wrong character encoding.
> If request and response character encoding are specifically configured to same character
> there are no problems.
> However, if request and response character encoding are not specifically configured,
> (or <%@ page contentType="text/html; charset=ISO-8859-1" %> is written in JSP only,)
> the included page is encoded by ISO-8859-1 and decoded by UTF-8.
> By using old decoding rule of UTF-8(enable on JRE1.5.0_16 or before and JRE1.6.0_10 or
> XSS vulnerability occurs, even if input value is sanitized when output as <s:textfield>.
> Please refer to description of WW-4507 for sample attack parameter information.
> Please refer to my comment written in WW-4507 for more analysis information.
> P.S.
> I'm thinking WW-4507(S2-028) has been caused by this.
> (WW-4507(S2-028) is not fixed in 2.3.28.)
> But if it's different, please show the hidden reproduction condition to WW-4507.

This message was sent by Atlassian JIRA

View raw message