XSS vulnerability in UrlHelper.java
-----------------------------------
Key: WW-3410
URL: https://issues.apache.org/jira/browse/WW-3410
Project: Struts 2
Issue Type: Bug
Affects Versions: 2.1.8.1
Reporter: Sean Ford
WebWise Security has discovered a XSS vulnerability in Struts 2.1.8.1. This
particular vulnerability exists in UrlHelper.java and allows an attacker to
execute arbitrary javascript that could be use to steal a user's session
credentials or execute forced javascript redirects to phishing sites. This
vulnerability manifests itself when the <s:url> tag is used with
includeParams='all'.
Let's say there is an action (myAction.action) that serves a JSP Page with the
following snippet:
<a href="<s:url includeParams="all"/>">My Link</a>
Attack 1:
/myAction.action?param"><sCript>alert('XSS');</sCript>=1
This is very similiar to the vulnerability in Security Bulletin S2-002;
however, the implemented fix for S2-002 only checks for "<script>", not
"<sCript>".
Attack 2:
/myAction.action?param"onMouseOver%3D"javascript:alert('XSS');">=1
Simply checking for <script> isn't sufficient because certain attributes can be
injected to execute javascript. In attack 2, the user simply has to hover over
the link with their mouse and arbitrary javascript will be executed.
I attached a possible fix as a patch. Essentially, both the key and value for a
parameter must be escaped when creating the query string in UrlHelper.java.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
