[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

Thu, 14 Jan 2016 08:06:06 -0800 

    [ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15098308#comment-15098308
 ] 

Rene Gielen commented on WW-4507:
---------------------------------

We can confirm now that this is a platform issue. Especially JRE 1.5's 
URLDecoder implementation seems to be broken to the point that this non-spec 
encoding isn't rejected / filtered. The current implementation of URLDecoder in 
JRE 1.8 seems to address all issues in this space, thus it is highly 
recommended to upgrade to JRE 1.8 for production environments

Some containers such as Tomcat and Jetty circumvent broken JRE URLDecoder 
implementations by providing their own decoder for dealing with request 
parameters. JBoss 4.2.1 does not seem to be in this space.

While upcoming Struts 2.3.25 will have improved handling for some edge cases 
where URLDecoder is called by using Tomcat's UDecoder solution, this will not 
address the specific issue mentioned here. To address this, one will either 
have to upgrade the JRE to a version with non-broken URLDecoder implementation 
(preferably JRE 1.8) or a container that circumvents calls to broken URLDecoder 
implementation calls in it's Servlet API implementation.

> Struts 2 XSS vulnerability with <s:textfield>
> ---------------------------------------------
>
>                 Key: WW-4507
>                 URL: https://issues.apache.org/jira/browse/WW-4507
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.16.3
>         Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>            Reporter: brian neisen
>              Labels: struts2, vulnerability, xss
>             Fix For: 2.3.x
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
> <s:textfield> tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag <s:textfield 
> name="myinput" id="myinput"></s:textfield>, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to