I agree on using cross site scripting in favor of XSS. IMO we should not get that detailed on tag usage to say it is about user inputted data to <s:a> /<s:url>. People may rate their projects wrong because the vulnerability starts with includeParams<>"none", which does not make it obvious to most people how easy user inputted data might be injected. If you are using tags, you will most likely use these both sooner or later, thus saying "to prevent cross site scripting attacks through Struts 2 tags" still looks good to me.
Regards, Rene Am Di, 4.03.2008, 10:37, schrieb Al Sutton: > Or even; > > * All developers using user inputted data in <s:a> and <s:url> tags are > strongly advised to upgrade in order to increase protection against cross > site scripting attacks. > > That way we don't spook people into thinking there something fundamentally > wrong with the whole framework (and I prefer "cross site scripting" as > opposed to "XSS" because I just know we're going to start getting posts on > the user list asking what XSS is). > > ----- Original Message ----- > From: "Don Brown" <[EMAIL PROTECTED]> > To: "Struts Developers List" <dev@struts.apache.org> > Sent: Tuesday, March 04, 2008 8:04 AM > Subject: Re: [VOTE] Struts 2.0.11.1 Quality (fast track) - PROPOSED > ANNOUNCEMENT > > >> What about: >> >> * All developers are strongly advised to update Struts 2 applications >> to Struts 2.0.11.1 to prevent XSS attacks through Struts 2 tags. >> >> In this way, we aren't quite so "in-your-face" and a quick summary of >> the issue and what part of Struts 2 is affected is included. The >> qualifier is probably important as not all apps use the affected >> Struts 2 tags and since the release just includes that one fix, it is >> valuable to specify exactly what has been fixed. >> >> Still, these are all minor things - the important thing is that you >> got this release out so quickly and for that, we are all very grateful >> :) >> >> Don >> >> On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote: >>> Agreed. How should we put it better? >>> >>> Don Brown schrieb: >>> >>> > Good point. This pales in comparison to, say, the OGNL remote code >>> > exploit. XSS exploits, while important, just aren't anywhere near >>> as >>> > big of deal. >>> > >>> > Don >>> > >>> > On Tue, Mar 4, 2008 at 12:43 PM, Jeromy Evans >>> > <[EMAIL PROTECTED]> wrote: >>> >> My opinion is that the criticality is overstated. >>> >> However it is useful to draw attention to the vulnerability. >>> >> >>> >> >>> >> >>> >> Don Brown wrote: >>> >> > Looks good. Thanks for creating a security bulletin as well. >>> >> > >>> >> > Don >>> >> > >>> >> > On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote: >>> >> > >>> >> >> The release has been submitted for mirroring. Here's a draft >>> >> >> announcement that we could post tomorrow morning, including a >>> link to a >>> >> >> corresponding security bulletin announcement in the wiki. >>> Comments and >>> >> >> corrections to both texts are highly appreciated. >>> >> >> >>> >> >> ---- >>> >> >> >>> >> >> Apache Struts 2.0.11.1 is now available from >>> >> >> <http://struts.apache.org/download.cgi#struts20111>. >>> >> >> >>> >> >> This release is a fast track security fix release, including >>> important >>> >> >> security fixes regarding possible cross site scripting >>> exploits. >>> For >>> >> >> more information about the exploits, visit our security >>> bulletins page at >>> >> >> <http://cwiki.apache.org/confluence/display/WW/S2-002>. >>> >> >> >>> >> >> * ALL DEVELOPERS ARE STRONGLY ADVISED TO UPDATE TO STRUTS >>> 2.0.11.1 >>> >> >> IMMEDIATELY! >>> >> >> >>> >> >> For the complete release notes for Struts 2.0.11.1, see >>> >> >> >>> <http://cwiki.apache.org/confluence/display/WW/Release+Notes+2.0.11.1>. >>> >> >> >>> >> >>> >> --------------------------------------------------------------------- >>> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> >> >> For additional commands, e-mail: [EMAIL PROTECTED] >>> >> >> >>> >> >> >>> >> >> >>> >> > >>> >> >>> > --------------------------------------------------------------------- >>> >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >>> >> > For additional commands, e-mail: [EMAIL PROTECTED] >>> >> > >>> >> > >>> >> > >>> >> > >>> >> > >>> >> >>> >> >>> >>> >> --------------------------------------------------------------------- >>> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> >> For additional commands, e-mail: [EMAIL PROTECTED] >>> >> >>> >> >>> > >>> > --------------------------------------------------------------------- >>> > To unsubscribe, e-mail: [EMAIL PROTECTED] >>> > For additional commands, e-mail: [EMAIL PROTECTED] >>> > >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Rene Gielen | http://it-neering.net/ Aachen | PGP-ID: BECB785A Germany | gielen at it-neering.net --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
