[jira] Commented: (STR-3191) Sufficently filter HTML tag attribute names and values

Tue, 22 Sep 2009 12:37:25 -0700 

    [ 
https://issues.apache.org/struts/browse/STR-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46820#action_46820
 ] 

Niall Pemberton commented on STR-3191:
--------------------------------------

Firstly apologies for the lateness in this response.

I have looked through the links for this vulnerability and the description is 
very vague...

"allows remote attackers to inject arbitrary web script or HTML via unspecified 
vectors related to "insufficient quoting of parameters."

...and I can find nothing that demonstrates how there is an XSS vulnerability.

The original fix sent to the Struts PMC involved filtering the attribute names 
and values in BaseHandlerTag's prepareAttribute() method:

{code}
protected void prepareAttribute(StringBuffer handlers, String name,
    Object value) {
    if (value != null) {
        handlers.append(" ");
        handlers.append(TagUtils.getInstance().filter(name));
        handlers.append("=\"");
        handlers.append(TagUtils.getInstance().filter(value.toString()));
        handlers.append("\"");
     }
}
{code}

I can't see how either of these values can be subject to an XSS vulnerability 
since neither are taken from user input. The attribute names are all values 
hard coded in tags that extend from BaseHandlerTag and the values are from JSP 
pages created by the webapp developer - not from user input.

I would like to see an example of how an XSS vulnerability can occur with these 
tags/attributes otherwise I think we should revert the change.

> Sufficently filter HTML tag attribute names and values
> ------------------------------------------------------
>
>                 Key: STR-3191
>                 URL: https://issues.apache.org/struts/browse/STR-3191
>             Project: Struts 1
>          Issue Type: Bug
>          Components: Tag Libraries
>    Affects Versions: 1.2.9, 1.3.10
>            Reporter: Paul Benedict
>            Assignee: Paul Benedict
>            Priority: Blocker
>             Fix For: 1.3.11, 1.4.0
>
>         Attachments: STR-3191-patch.txt
>
>
> Allows remote attackers to inject arbitrary web script or HTML via 
> unspecified vectors related to insufficient quoting of parameters. 
> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025
> * http://support.novell.com/security/cve/CVE-2008-2025.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to