[
https://issues.apache.org/struts/browse/STR-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46930#action_46930
]
Vincent Danen commented on STR-3191:
------------------------------------
This sounds like a good compromise.
As a result of the above (and thank you very much for taking the time to look
at this), we will not be using this patch on existing Struts packages in Red
Hat Enterprise Linux following the comments indicating this is not a security
issue. Having said that, we do look forward to future versions having some
hardening features to reduce the likelihood of these types of problems.
> Sufficently filter HTML tag attribute names and values
> ------------------------------------------------------
>
> Key: STR-3191
> URL: https://issues.apache.org/struts/browse/STR-3191
> Project: Struts 1
> Issue Type: Bug
> Components: Tag Libraries
> Affects Versions: 1.2.9, 1.3.10
> Reporter: Paul Benedict
> Assignee: Paul Benedict
> Priority: Blocker
> Fix For: 1.3.11, 1.4.0
>
> Attachments: STR-3191-patch.txt
>
>
> Allows remote attackers to inject arbitrary web script or HTML via
> unspecified vectors related to insufficient quoting of parameters.
> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025
> * http://support.novell.com/security/cve/CVE-2008-2025.html
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
