[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

[Naozumi Taromaru (JIRA)]

    [ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15215689#comment-15215689
 ] 

Naozumi Taromaru commented on WW-4507:
--------------------------------------

I reproduced this issue. I use Struts 2.3.24.1 and 2.3.28.
Even Struts 2.3.28 isn't fixed yet.

This issue is that
%fc%80%80%80%80%a2 become '"' after <s:textfield> tag's process.
(If %fc%80%80%80%80%a2 become '"' before <s:textfield> tag's process, '"' 
become & quot; by <s:textfield> tag's process.)

The cause of this issue is
org.apache.struts2.components.Include#include.
(It's used by <s:include> and JspTemplateEngine.)

The included page is encoded by response character encoding(default is 
ISO-8859-1(ServletResponse)).
But encoded result is decoded by 'request' character encoding(default is 
UTF-8(@Inject(StrutsConstants.STRUTS_I18N_ENCODING))).

org.apache.struts2.components.Include#include use wrong character encoding when 
decoding.

See
org.apache.struts2.components.Include$PageResponse#getWriter
org.apache.struts2.components.Include#include

-----
server.xml(Tomcat)
default.

struts.xml:
<constant name="struts.i18n.encoding" value="..." /> is not set.

sample.jsp:
<%@ page contentType="text/html" %>
...
<s:include value="/WEB-INF/jsp/example/included.jsp" />

included.jsp:
<s:textfield name="myinput" id="myinput"></s:textfield>

Query parameter:
myinput=%fc%80%80%80%80%a2

1. Query parameter is decoded by Tomcat.(ISO-8859-1)
%fc%80%80%80%80%a2 -> String { U+00fc, U+0080, U+0080, U+0080, U+0080, U+00a2 }

2. <s:textfield> tag outputs String { U+00fc, U+0080, U+0080, U+0080, U+0080, 
U+00a2 }
String { U+00fc, U+0080, U+0080, U+0080, U+0080, U+00a2 }
(It dosen't contain U+0022( = '"').)

3. String { U+00fc, U+0080, U+0080, U+0080, U+0080, U+00a2 } is encoded by 
org.apache.struts2.components.Include(ISO-8859-1)
String { U+00fc, U+0080, U+0080, U+0080, U+0080, U+00a2 } -> byte array { 0xfc, 
0x80, 0x80, 0x80, 0x80, 0xa2 }

4. byte array { 0xfc, 0x80, 0x80, 0x80, 0x80, 0xa2 } is decoded by 
org.apache.struts2.components.Include(UTF-8)
byte array { 0xfc, 0x80, 0x80, 0x80, 0x80, 0xa2 } -> String { U+0022 = '"' }
(use JDK 1.5.0_11)


> Struts 2 XSS vulnerability with <s:textfield>
> ---------------------------------------------
>
>                 Key: WW-4507
>                 URL: https://issues.apache.org/jira/browse/WW-4507
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.16.3
>         Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>            Reporter: brian neisen
>            Assignee: Rene Gielen
>              Labels: struts2, vulnerability, xss
>             Fix For: 2.3.28, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
> <s:textfield> tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag <s:textfield 
> name="myinput" id="myinput"></s:textfield>, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)