[ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15098308#comment-15098308 ]
Rene Gielen commented on WW-4507: --------------------------------- We can confirm now that this is a platform issue. Especially JRE 1.5's URLDecoder implementation seems to be broken to the point that this non-spec encoding isn't rejected / filtered. The current implementation of URLDecoder in JRE 1.8 seems to address all issues in this space, thus it is highly recommended to upgrade to JRE 1.8 for production environments Some containers such as Tomcat and Jetty circumvent broken JRE URLDecoder implementations by providing their own decoder for dealing with request parameters. JBoss 4.2.1 does not seem to be in this space. While upcoming Struts 2.3.25 will have improved handling for some edge cases where URLDecoder is called by using Tomcat's UDecoder solution, this will not address the specific issue mentioned here. To address this, one will either have to upgrade the JRE to a version with non-broken URLDecoder implementation (preferably JRE 1.8) or a container that circumvents calls to broken URLDecoder implementation calls in it's Servlet API implementation. > Struts 2 XSS vulnerability with <s:textfield> > --------------------------------------------- > > Key: WW-4507 > URL: https://issues.apache.org/jira/browse/WW-4507 > Project: Struts 2 > Issue Type: Bug > Affects Versions: 2.3.16.3 > Environment: Operating System: Windows 7. Application Server: > JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts > 2.3.16.3. Browser: FireFox 38.0.1 > Reporter: brian neisen > Labels: struts2, vulnerability, xss > Fix For: 2.3.x > > > WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the > <s:textfield> tag. When loading a url in a browser with some param name, in > this case "myinput", and the jsp being loaded has the tag <s:textfield > name="myinput" id="myinput"></s:textfield>, an alert message is popped open > in the browser- which is WhiteHat's method of showing the vulnerability. > Example url is: > [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE] -- This message was sent by Atlassian JIRA (v6.3.4#6332)