[
https://issues.apache.org/struts/browse/STR-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46822#action_46822
]
Niall Pemberton commented on STR-3191:
--------------------------------------
Thanks for the response Vincent but the vulmerability shown here is in the JSP
page - if a developer writes a page that re-renders user input like that
without filtering then they're shooting themselves in the foot and they should
fix their code. They could equally do excactly the same tjhing without using
Struts tags and you get exactly the same vulnerability:
------------------------------------------------------------------
<%@ taglib uri="/tags/struts-html" prefix="html" %>
<html>
<head>
<title>CVE-2008-2025 exploit test</title>
</head>
<body>
<img src="noone.gif" alt="<%= request.getParameter("alt") %>"/>
</body>
</html>
------------------------------------------------------------------
The problem is in the use of scriptlet to re-render unfiltered user input:
<%= request.getParameter("alt") %>
> Sufficently filter HTML tag attribute names and values
> ------------------------------------------------------
>
> Key: STR-3191
> URL: https://issues.apache.org/struts/browse/STR-3191
> Project: Struts 1
> Issue Type: Bug
> Components: Tag Libraries
> Affects Versions: 1.2.9, 1.3.10
> Reporter: Paul Benedict
> Assignee: Paul Benedict
> Priority: Blocker
> Fix For: 1.3.11, 1.4.0
>
> Attachments: STR-3191-patch.txt
>
>
> Allows remote attackers to inject arbitrary web script or HTML via
> unspecified vectors related to insufficient quoting of parameters.
> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025
> * http://support.novell.com/security/cve/CVE-2008-2025.html
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
