[
https://issues.apache.org/jira/browse/WW-5623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Lukasz Lenart updated WW-5623:
------------------------------
Description:
h2. Summary
PostbackResult.doExecute() at line 107 embeds finalLocation into a form action
attribute via raw string concatenation without HTML encoding. The response
Content-Type is text/html (line 103). A double-quote character in the location
breaks out of the attribute, enabling reflected XSS.
This is an encoding inconsistency: form field names and values at lines 218-219
ARE properly URL-encoded via URLEncoder.encode(), but the form action attribute
was not encoded at all.
h2. Changes
* {*}PostbackResult.java{*}: Add encodeHtml() method to escape &, ", <, > in
finalLocation before embedding in the HTML form tag. Consistent with the
existing encoding approach for form field values.
h2. Impact
When a developer uses PostbackResult with an OGNL expression referencing a
user-controllable property (a documented framework feature for dynamic
routing), an attacker can inject arbitrary HTML attributes and elements via the
form action attribute.
h2. Refer
[https://github.com/apache/struts/pull/1653]
[https://github.com/apache/struts/pull/1653/changes/1b2242487179f38009d118707b8e70ab396a3d27]
h2. Re-triage
Confirmed this is defense-in-depth output encoding at a framework-owned sink,
not a default-config XSS. The action attribute is sourced from configured
location/OGNL, never from request data; attacker input reaches it only when the
application wires untrusted input into the postback location (OGNL,
encode=false), which is documented application responsibility. Fix retained;
no CVE required.
was:
h2. Summary
PostbackResult.doExecute() at line 107 embeds finalLocation into a form action
attribute via raw string concatenation without HTML encoding. The response
Content-Type is text/html (line 103). A double-quote character in the location
breaks out of the attribute, enabling reflected XSS.
This is an encoding inconsistency: form field names and values at lines 218-219
ARE properly URL-encoded via URLEncoder.encode(), but the form action attribute
was not encoded at all.
h2. Changes
* {*}PostbackResult.java{*}: Add encodeHtml() method to escape &, ", <, > in
finalLocation before embedding in the HTML form tag. Consistent with the
existing encoding approach for form field values.
h2. Impact
When a developer uses PostbackResult with an OGNL expression referencing a
user-controllable property (a documented framework feature for dynamic
routing), an attacker can inject arbitrary HTML attributes and elements via the
form action attribute.
h2. Refer
[https://github.com/apache/struts/pull/1653]
[https://github.com/apache/struts/pull/1653/changes/1b2242487179f38009d118707b8e70ab396a3d27]
> Harden output encoding of the form action attribute in PostbackResult
> ---------------------------------------------------------------------
>
> Key: WW-5623
> URL: https://issues.apache.org/jira/browse/WW-5623
> Project: Struts 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 7.1.1
> Reporter: Tran Quac
> Priority: Major
> Fix For: 6.10.0, 7.2.0
>
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> h2. Summary
> PostbackResult.doExecute() at line 107 embeds finalLocation into a form
> action attribute via raw string concatenation without HTML encoding. The
> response Content-Type is text/html (line 103). A double-quote character in
> the location breaks out of the attribute, enabling reflected XSS.
> This is an encoding inconsistency: form field names and values at lines
> 218-219 ARE properly URL-encoded via URLEncoder.encode(), but the form action
> attribute was not encoded at all.
> h2. Changes
> * {*}PostbackResult.java{*}: Add encodeHtml() method to escape &, ", <, > in
> finalLocation before embedding in the HTML form tag. Consistent with the
> existing encoding approach for form field values.
> h2. Impact
> When a developer uses PostbackResult with an OGNL expression referencing a
> user-controllable property (a documented framework feature for dynamic
> routing), an attacker can inject arbitrary HTML attributes and elements via
> the form action attribute.
> h2. Refer
> [https://github.com/apache/struts/pull/1653]
> [https://github.com/apache/struts/pull/1653/changes/1b2242487179f38009d118707b8e70ab396a3d27]
> h2. Re-triage
> Confirmed this is defense-in-depth output encoding at a framework-owned sink,
> not a default-config XSS. The action attribute is sourced from configured
> location/OGNL, never from request data; attacker input reaches it only when
> the application wires untrusted input into the postback location (OGNL,
> encode=false), which is documented application responsibility. Fix retained;
> no CVE required.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
