[
https://issues.apache.org/jira/browse/WW-3410?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sean Ford updated WW-3410:
--------------------------
Attachment: URLHelper_XSS_Fix.patch
> XSS vulnerability in UrlHelper.java
> -----------------------------------
>
> Key: WW-3410
> URL: https://issues.apache.org/jira/browse/WW-3410
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.1.8.1
> Reporter: Sean Ford
> Attachments: URLHelper_XSS_Fix.patch
>
>
> WebWise Security has discovered a XSS vulnerability in Struts 2.1.8.1. This
> particular vulnerability exists in UrlHelper.java and allows an attacker to
> execute arbitrary javascript that could be use to steal a user's session
> credentials or execute forced javascript redirects to phishing sites. This
> vulnerability manifests itself when the <s:url> tag is used with
> includeParams='all'.
> Let's say there is an action (myAction.action) that serves a JSP Page with
> the following snippet:
> <a href="<s:url includeParams="all"/>">My Link</a>
> Attack 1:
> /myAction.action?param"><sCript>alert('XSS');</sCript>=1
> This is very similiar to the vulnerability in Security Bulletin S2-002;
> however, the implemented fix for S2-002 only checks for "<script>", not
> "<sCript>".
> Attack 2:
> /myAction.action?param"onMouseOver%3D"javascript:alert('XSS');">=1
> Simply checking for <script> isn't sufficient because certain attributes can
> be injected to execute javascript. In attack 2, the user simply has to hover
> over the link with their mouse and arbitrary javascript will be executed.
> I attached a possible fix as a patch. Essentially, both the key and value for
> a parameter must be escaped when creating the query string in UrlHelper.java.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
