[jira] [Commented] (WW-4625) Struts 2 XSS vulnerability with when is used.

Tue, 10 May 2016 02:19:48 -0700 

    [ 
https://issues.apache.org/jira/browse/WW-4625?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15277847#comment-15277847
 ] 

Naozumi Taromaru commented on WW-4625:
--------------------------------------

If about workaround of 2.3.28 or before, I think so, too.
("Alternatively upgrade to Struts 2.3.28" should be deleted from
https://struts.apache.org/docs/s2-028.html)

If about 2.3.29 or later ...

If unknown charset stream (or byte array) is decorded by UTF-8,
I think so, too.
(For example, when a page includes the content of external web site as text.)

However, the byte array was encoded by not unknown charset but 
org.apache.struts2.components.Include$PageResponse.

I wrote following,
----
The included page is encoded by response character encoding(default is 
ISO-8859-1(ServletResponse)).
But encoded result is decoded by 'request' character encoding(default is 
UTF-8(@Inject(StrutsConstants.STRUTS_I18N_ENCODING))).
org.apache.struts2.components.Include use wrong character encoding.
----

Suggestion 1.
org.apache.struts2.components.Include use 
Include$PageResponse#getCharacterEncoding when decoding.

{noformat}
        if (encoding != null) {
            // Use given encoding
            pageResponse.getContent().writeTo(writer, encoding);
        } else {
            //use the platform specific encoding
            pageResponse.getContent().writeTo(writer, systemEncoding);
        }
{noformat}
to
{noformat}
        pageResponse.getContent().writeTo(writer, 
pageResponse.getCharacterEncoding());
{noformat}


Suggestion 2.
If you want use encoding argument and systemEncoding field,
encoding information is given to Include$PageResponse too.

{noformat}
        PageResponse pageResponse = new PageResponse(response);

        // Include the resource
        rd.include(request, pageResponse);

        if (encoding != null) {
            // Use given encoding
            pageResponse.getContent().writeTo(writer, encoding);
        } else {
            //use the platform specific encoding
            pageResponse.getContent().writeTo(writer, systemEncoding);
        }
{noformat}
to
{noformat}
        // Use given encoding
        String encodingToUse = encoding;
        if (encoding == null) {
            //use the platform specific encoding
            encodingToUse = systemEncoding;
        }

        //use the platform specific encoding
        PageResponse pageResponse = new PageResponse(response, encodingToUse);

        // Include the resource
        rd.include(request, pageResponse);

        pageResponse.getContent().writeTo(writer, encodingToUse);
{noformat}

and

{noformat}
    static final class PageResponse extends HttpServletResponseWrapper {
        ...
        public PageResponse(HttpServletResponse response) {
            super(response);
        }
        ...
        public PrintWriter getWriter() throws IOException {
            if (pagePrintWriter == null) {
                pagePrintWriter = new PrintWriter(new 
OutputStreamWriter(getOutputStream(), getCharacterEncoding()));
            }
        ...
{noformat}
to
{noformat}
    static final class PageResponse extends HttpServletResponseWrapper {
        ...
        protected String encodingToUse;
        public PageResponse(HttpServletResponse response, String encodingToUse) 
{
            super(response);
            this.encodingToUse = encodingToUse;
        }
        ...
        public PrintWriter getWriter() throws IOException {
            if (pagePrintWriter == null) {
                pagePrintWriter = new PrintWriter(new 
OutputStreamWriter(getOutputStream(), encodingToUse));
            }
        ...
{noformat}

Are they difficult?


> Struts 2 XSS vulnerability with <s:textfield> when <s:include> is used.
> -----------------------------------------------------------------------
>
>                 Key: WW-4625
>                 URL: https://issues.apache.org/jira/browse/WW-4625
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.24, 2.3.28
>         Environment: Operating System: Windows 7(N/A).
> Application Server: Tomcat 6(any server running on JRE1.6 or before JRE).
> Java: jdk1.5.0.11.
> Developloment Framework: Struts 2.3.28, 2.3.24.1.
> Browser: FireFox 38.0.1.
>            Reporter: Naozumi Taromaru
>              Labels: struts2, vulnerability, xss
>             Fix For: 2.3.29
>
>
> <s:include> tag and JspTemplateEngine use
> org.apache.struts2.components.Include#include.
> (I use <s:include> tag.)
> The included page is encoded by response character encoding(default is 
> ISO-8859-1(ServletResponse)).
> But encoded result is decoded by 'request' character encoding(default is 
> UTF-8(@Inject(StrutsConstants.STRUTS_I18N_ENCODING))).
> org.apache.struts2.components.Include use wrong character encoding.
> If request and response character encoding are specifically configured to 
> same character encoding,
> there are no problems.
> However, if request and response character encoding are not specifically 
> configured,
> (or <%@ page contentType="text/html; charset=ISO-8859-1" %> is written in JSP 
> only,)
> the included page is encoded by ISO-8859-1 and decoded by UTF-8.
> By using old decoding rule of UTF-8(enable on JRE1.5.0_16 or before and 
> JRE1.6.0_10 or before),
> XSS vulnerability occurs, even if input value is sanitized when output as 
> <s:textfield>.
> Please refer to description of WW-4507 for sample attack parameter 
> information.
> Please refer to my comment written in WW-4507 for more analysis information.
> P.S.
> I'm thinking WW-4507(S2-028) has been caused by this.
> (WW-4507(S2-028) is not fixed in 2.3.28.)
> But if it's different, please show the hidden reproduction condition to 
> WW-4507.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to