Author: lukaszlenart
Date: Tue Aug 25 09:08:37 2015
New Revision: 963024
Log:
Updates production
Modified:
websites/production/struts/content/docs/s2-025.html
Modified: websites/production/struts/content/docs/s2-025.html
==============================================================================
--- websites/production/struts/content/docs/s2-025.html (original)
+++ websites/production/struts/content/docs/s2-025.html Tue Aug 25 09:08:37 2015
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2
id="S2-025-Summary">Summary</h2>Cross-Site Scripting Vulnerability in Debug
Mode<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read
this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2
developers and users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p><span>A</span><span>ffects of a cross-site
scripting vulnerability </span>when debug mode is switched on in production
environment.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Turn off debug mode in production
environment. An upgr
ade to <a shape="rect" class="external-link"
href="http://struts.apache.org/download.cgi#struts2320";>Struts 2.3.20</a> is
recommended.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.16.3</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">Taki
Uchiyama, JPCERT/CC</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2015-5169</p></td></tr></tbody></table></div><h2
id="S2-025-Problem">Problem</h2><p>When the Struts2 debug mode is turned on,
under certain conditions an arbitrary script may be executed in the
'Problem Report' screen.</p><h2 id="S2-025-Solution">Solution</h2><p>It is g
enerally not advisable to have debug mode switched on outside of the
development environment. Debug mode should always be turned off in production
setup. Also never expose JSPs files directly and hide them
inside <code>WEB-INF</code> folder or define dedicated security
constraints to block access to raw JSP files. Please also ready
our <a shape="rect" href="security.html">Security</a> guide - it
contains useful informations how to secure your application.</p><p>Struts >=
2.3.20 is not vulnerable to this attack. We recommend upgrading to Struts
2.3.20 or higher.</p><h2 id="S2-025-Backwardcompatibility">Backward
compatibility</h2><p>No backward compatibility problems are expected.</p><h2
id="S2-025-Workaround">Workaround</h2><h2
id="S2-025-UpgradetoStruts2.3.20"><span style="font-size: 14.0px;line-height:
20.0px;">Upgrade to Struts 2.3.20</span></h2><p><span style="font-size:
14.0px;line-height: 1.4285715;"><br clear="none"></span></p></div>
+ <div id="ConfluenceContent"><h2
id="S2-025-Summary">Summary</h2>Cross-Site Scripting Vulnerability in Debug
Mode<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Who should read
this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2
developers and users</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p><span>A</span><span>ffects of a cross-site
scripting vulnerability </span>when debug mode is switched on in production
environment.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>Turn off debug mode in production
environment. An upgr
ade to <a shape="rect" class="external-link"
href="http://struts.apache.org/download.cgi#struts2320";>Struts 2.3.20</a> is
recommended.</p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color:
rgb(23,35,59);">Struts 2.3.16.3</span></p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">Taki
Uchiyama, JPCERT/CC</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>CVE-2015-5169</p></td></tr></tbody></table></div><h2
id="S2-025-Problem">Problem</h2><p>When the Struts2 debug mode is turned on,
under certain conditions an arbitrary script may be executed in the
'Problem Report' screen.</p><h2 id="S2-025-Solution">Solution</h2><p>It is g
enerally not advisable to have debug mode switched on outside of the
development environment. Debug mode should always be turned off in production
setup. Also never expose JSPs files directly and hide them
inside <code>WEB-INF</code> folder or define dedicated security
constraints to block access to raw JSP files. Please also ready
our <a shape="rect" href="security.html">Security</a> guide - it
contains useful informations how to secure your application.</p><p>Struts >=
2.3.20 is not vulnerable to this attack. We recommend upgrading to Struts
2.3.20 or higher.</p><h2 id="S2-025-Backwardcompatibility">Backward
compatibility</h2><p>No backward compatibility problems are expected.</p><h2
id="S2-025-Workaround">Workaround</h2><p>Upgrade to Struts 2.3.20</p><p><span
style="font-size: 14.0px;line-height: 1.4285715;"><br
clear="none"></span></p></div>
</div>
