You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Rene Gielen (JIRA)" <ji...@apache.org> on 2016/01/05 10:45:40 UTC
[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with
[ https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082735#comment-15082735 ]
Rene Gielen commented on WW-4507:
---------------------------------
I have tried to reproduce this with a page encoding of ISO-8859-1 on Tomcat 7, JDK 8, Struts 2.3.24.1, Chrome - to no success
Just to clarify: can we confirm that this is no general issue with ISO-8859-1 page encoding usage? It looks to me like a very specific behaviour found in [~greaserscc@gmail.com]'s setup, including the usage of an older Struts version which is no longer supported due to security fix upgrade policy?
> Struts 2 XSS vulnerability with <s:textfield>
> ---------------------------------------------
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.16.3
> Environment: Operating System: Windows 7. Application Server: JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts 2.3.16.3. Browser: FireFox 38.0.1
> Reporter: brian neisen
> Labels: struts2, vulnerability, xss
> Fix For: 2.3.x
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the <s:textfield> tag. When loading a url in a browser with some param name, in this case "myinput", and the jsp being loaded has the tag <s:textfield name="myinput" id="myinput"></s:textfield>, an alert message is popped open in the browser- which is WhiteHat's method of showing the vulnerability. Example url is: [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)