[jira] Commented: (STR-3191) Sufficently filter HTML tag attribute names and values

Vincent Danen (JIRA) Tue, 22 Sep 2009 12:53:30 -0700

    [ 
https://issues.apache.org/struts/browse/STR-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46821#action_46821
 ]


Vincent Danen commented on STR-3191:
------------------------------------

Hi Nial.  This is the information we have, which came from SUSE.  Note that I 
was never able to duplicate this (but I know nothing about Struts and java, so 
I'm not surprised I couldn't duplicate it).  Hopefully there is enough here to 
help you see where the reported problem is stemming from.

Using the following simple JSP page with the struts tag img (derived from 
BaseHandlerTag):

------------------------------------------------------------------
<%@ taglib uri="/tags/struts-html" prefix="html" %>

<html>
<head>
<title>CVE-2008-2025 exploit test</title>
</head>
<body>

<html:img src="noone.gif" alt="<%= request.getParameter("alt") %>"/>

</body>
</html>
------------------------------------------------------------------

Call this page with a GET parameter starting with double quotes:

?alt="<script type="text/javascript">alert ("Got ja!!");</script>

The results shown from an unpatched struts, copies the string to parameter 
title with the resulting HTML looking like:

<img src="noone.gif" alt=""<script type="text/javascript">alert ("Got
ja!!");</script>"/>

This is interpreted by the browser as javascript and executed, so a message box 
with "Got ja!" will be raised.  The patched struts (remember, this is based on 
SUSE's patch), filters quotes, so the result would be:

<img src="noone.gif" alt="&quot;<script type=&quot;text/javascript&quot;>alert
(&quot;Got ja!!&quot;);</script>">

The code comes right from SUSE's bz, but the comments are paraphrased as I 
didn't feel comfortable doing a straight cut-n-paste as the initial comments 
are still private.

> Sufficently filter HTML tag attribute names and values
> ------------------------------------------------------
>
>                 Key: STR-3191
>                 URL: https://issues.apache.org/struts/browse/STR-3191
>             Project: Struts 1
>          Issue Type: Bug
>          Components: Tag Libraries
>    Affects Versions: 1.2.9, 1.3.10
>            Reporter: Paul Benedict
>            Assignee: Paul Benedict
>            Priority: Blocker
>             Fix For: 1.3.11, 1.4.0
>
>         Attachments: STR-3191-patch.txt
>
>
> Allows remote attackers to inject arbitrary web script or HTML via 
> unspecified vectors related to insufficient quoting of parameters. 
> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025
> * http://support.novell.com/security/cve/CVE-2008-2025.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (STR-3191) Sufficently filter HTML tag attribute names and values

Reply via email to