[
https://issues.apache.org/jira/browse/WW-3410?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12848216#action_12848216
]
Sean Ford commented on WW-3410:
-------------------------------
Whether or not includeParams="get" is vulnerable depends on the browser and if
ticket WW-3411 is fixed.
Browsers (at least my tests with Firefox 3 and Chrome) will automatically URL
encode the query string before sending it to the web server. Due to bug
WW-3411, the keys in the query string will remain encoded when outputted back
to the page with includeParams="get". So, includesParams="get" in Struts
2.1.8.1 shouldn't be vulnerable providing that the browser URL encodes the
query string.
If WW-3411 is fixed, and WW-3410 is _not_ fixed, then includeParams="get" will
definitely be vulnerable.
> XSS vulnerability in UrlHelper.java
> -----------------------------------
>
> Key: WW-3410
> URL: https://issues.apache.org/jira/browse/WW-3410
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.1.8.1
> Reporter: Sean Ford
> Attachments: URLHelper_XSS_Fix.patch
>
>
> WebWise Security has discovered a XSS vulnerability in Struts 2.1.8.1. This
> particular vulnerability exists in UrlHelper.java and allows an attacker to
> execute arbitrary javascript that could be use to steal a user's session
> credentials or execute forced javascript redirects to phishing sites. This
> vulnerability manifests itself when the <s:url> tag is used with
> includeParams='all'.
> Let's say there is an action (myAction.action) that serves a JSP Page with
> the following snippet:
> <a href="<s:url includeParams="all"/>">My Link</a>
> Attack 1:
> /myAction.action?param"><sCript>alert('XSS');</sCript>=1
> This is very similiar to the vulnerability in Security Bulletin S2-002;
> however, the implemented fix for S2-002 only checks for "<script>", not
> "<sCript>".
> Attack 2:
> /myAction.action?param"onMouseOver%3D"javascript:alert('XSS');">=1
> Simply checking for <script> isn't sufficient because certain attributes can
> be injected to execute javascript. In attack 2, the user simply has to hover
> over the link with their mouse and arbitrary javascript will be executed.
> I attached a possible fix as a patch. Essentially, both the key and value for
> a parameter must be escaped when creating the query string in UrlHelper.java.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
