Dear Wiki user, You have subscribed to a wiki page or wiki category on "Struts Wiki" for change notification.
The following page has been changed by NiallPemberton: http://wiki.apache.org/struts/StrutsXssVulnerability The comment on the change is: create XSS Page New page: = Struts XSS Vulnerability = == 1. Information == A ''Cross Site Scripting'' (XSS) vulnerabilty has been identified in Struts by [http://www.hacktics.com/ Hacktics.com]. For further information, see... * [http://en.wikipedia.org/wiki/XSS Wikipedia] - What is ''Cross Site Scripting''? * [http://www.hacktics.com/AdvStrutsNov05.html Hacktics.com Advisory] - Details of the threat to Struts == 2. Impact == The following ''GA quality'' versions of Struts are vulnerable: * Struts 1.0.x * Struts 1.1 * Struts 1.2.4 * Struts 1.2.7 '''N.B.''' i.e. Struts 1.2.8 and Struts 1.3.x do '''NOT''' have this vulnerability. == 3. Solutions/Options == There are three possible courses of action users can take to guard against this vulnerability: * Configure an '''unknown''' Struts Action (Struts Version 1.1 onwards) * Upgrade to [http://struts.apache.org/struts-doc-1.2.8/userGuide/release-notes.html Struts 1.2.8] * Configure your Servlet Container to use a '''Custom Error Page''' for 404 / Not Found errors === 3.1 Configure an '''unknown''' Struts Action === >From Struts 1.1 onwards it is possible to configure one action in the >''struts-config.xml'' for mappings which are ''Not Found''. This action should >be configure to forward to a custom error page (which doesn't include the >Request's path!). To do this you specify the '''unknown''' attribute on ONE of your action mappings and forward to a custom error page, for example... {{{ <struts-config> ... <action-mappings> <action forward="/CustomNotFoundError.jsp" unknown="true" /> </action-mappings> </struts-config> }}} === 3.2 Upgrading to Struts 1.2.8 === Struts has been modified to remove this vulnerability in Struts 1.2.8. For further information on Struts 1.2.8, see: * [http://struts.apache.org/struts-doc-1.2.8/userGuide/release-notes.html Struts 1.2.8 Release Notes] * [http://wiki.apache.org/struts/StrutsUpgrade Notes on Upgrading] * Download latest Struts [http://struts.apache.org/acquiring.html here] === 3.3 Configure Servlet Container to use a '''Custom Error Page''' === Check your servlet container's documentation to see if you can configure a custom error page for '''404''' / '''Not Found''' status. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
