You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Hudson (JIRA)" <ji...@apache.org> on 2016/07/15 14:12:23 UTC

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with 

    [ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15379441#comment-15379441 ] 

Hudson commented on WW-4507:
----------------------------

SUCCESS: Integrated in Struts-JDK7-master #495 (See [https://builds.apache.org/job/Struts-JDK7-master/495/])
WW-4507 - clone Tomcat UDecoder and use it for in query string handling (lukaszlenart: rev 76f188406eb9f17a06afcb5f49f0c44d749da0d2)
* core/src/main/java/org/apache/struts2/util/tomcat/buf/HexUtils.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/ByteChunk.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/MessageBytes.java
* core/src/main/java/org/apache/struts2/util/URLDecoderUtil.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/Ascii.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/Utf8Decoder.java
* core/src/main/java/org/apache/struts2/dispatcher/mapper/Restful2ActionMapper.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/CharChunk.java
* core/src/main/java/org/apache/struts2/views/util/DefaultUrlHelper.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/B2CConverter.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/UDecoder.java
* core/src/test/java/org/apache/struts2/util/URLDecoderUtilTest.java
* core/src/main/java/org/apache/struts2/dispatcher/mapper/RestfulActionMapper.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/StringCache.java
WW-4507 - adjust Tomcat url decoding code to Log4j 2 logging used in (lukaszlenart: rev 4720f46a63caaf9db97ba27dc51ac5ad21e66bdc)
* core/src/main/java/org/apache/struts2/util/tomcat/buf/StringCache.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/UDecoder.java


> Struts 2 XSS vulnerability with <s:textfield>
> ---------------------------------------------
>
>                 Key: WW-4507
>                 URL: https://issues.apache.org/jira/browse/WW-4507
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.16.3
>         Environment: Operating System:  Windows 7.  Application Server:  JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 2.3.16.3.  Browser:  FireFox 38.0.1
>            Reporter: brian neisen
>            Assignee: Rene Gielen
>              Labels: struts2, vulnerability, xss
>             Fix For: 2.3.28, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the <s:textfield> tag.   When loading a url in a browser with some param name, in this case "myinput", and the jsp being loaded has the tag <s:textfield name="myinput" id="myinput"></s:textfield>, an alert message is popped open in the browser- which is WhiteHat's method of showing the vulnerability.  Example url is: [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)