You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by bu...@apache.org on 2006/02/22 12:13:32 UTC
DO NOT REPLY [Bug 38749] New: - XSS vulnerability in LookupDispatchAction
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38749>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38749
Summary: XSS vulnerability in LookupDispatchAction
Product: Struts
Version: 1.2.8
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Extras
AssignedTo: dev@struts.apache.org
ReportedBy: p0023009@brookes.ac.uk
If the user supplies a parameter value which does not correspond to an entry in
the lookupMap, then the supplied value is included in the resulting message
passed back to the user.
// Find the key for the resource
String key = (String) lookupMap.get(keyName);
if (key == null) {
String message = messages.getMessage(
"dispatch.resource", mapping.getPath(), keyName);
throw new ServletException(message);
}
And the message template is:
Servlet error: Action[{0}] missing resource '{1}' in key method map
At this point, the path is safe (as it must correspond with a path from the
Action), but the keyName is arbitrary user input.
In the specific case we've got,
http://localhost:8988/EDM-ViewController-context-root/browse.do?act=%3CSCRIPT%
3Ealert(%22XSS%22);%3C/SCRIPT%3E&select=1177281
produces the HTML:
<HTML><HEAD><TITLE>500 Internal Server Error</TITLE></HEAD><BODY><H1>500
Internal Server Error</H1><PRE>Servlet error: Action[/browse] missing resource
'<SCRIPT>alert("XSS");</SCRIPT>' in key method map</PRE></BODY></HTML>
(Browsing the source code for 1.3, I think that DispatchAction and
LookupDispatchAction in that version have the same problem.)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38749] - XSS vulnerability in LookupDispatchAction
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38749>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38749
------- Additional Comments From paul4christ79@yahoo.com 2006-02-22 14:44 -------
On second thought, I think we may want to mark this as INVALID depending on your
response. This is not a problem with the classes, but with the lack of
Validation. You should put validation on "method" parameter - does Struts allow
validation on parameters which are not explicitly defined in forms?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38749] - [extras] XSS vulnerability in LookupDispatchAction
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38749>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38749
niallp@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From niallp@apache.org 2006-03-07 00:18 -------
Fixed in both the current trunk and 1.2.x branch, thanks for reporting this:
http://svn.apache.org/viewcvs.cgi?rev=383718&view=rev
http://svn.apache.org/viewcvs.cgi?rev=383720&view=rev
As well as LookupDispatchAction I also modified DispatchAction and
ActionDispatcher which could expose the same issue when the
NoSuchMethodException is thrown for an invalid method input through a parameter.
Closing as FIXED.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38749] - XSS vulnerability in LookupDispatchAction
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38749>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38749
------- Additional Comments From p0023009@brookes.ac.uk 2006-02-22 15:07 -------
(In reply to comment #2)
> On second thought, I think we may want to mark this as INVALID depending on
your
> response. This is not a problem with the classes, but with the lack of
> Validation. You should put validation on "method" parameter - does Struts
allow
> validation on parameters which are not explicitly defined in forms?
Yes (in answer to your first question), the alert box does pop up. Sorry for
not saying so implicitly originally.
Yes, I could put validation on the form. That's a possibility which hadn't
occured to me.
It's not going to be trivial to validate the field though, since I'm using
LookupDispatchAction, so the legal parameter values are in the application's
resource bundle, and the corresponding keys are already in the Map used by the
Lookup. So if I do write a simple validator, I'm going to lose the i18n
abilities, and if I write a more robust one, then I'm reimplementing what
LookupDispatchAction does anyway.
And on top of that, it puts another requirement on the user (to explicitly
write the validation). Wouldn't it be more robust to just not echo the dodgy
value?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38749] - [extras] XSS vulnerability in LookupDispatchAction
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38749>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38749
wsmoak@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|XSS vulnerability in |[extras] XSS vulnerability
|LookupDispatchAction |in LookupDispatchAction
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38749] - XSS vulnerability in LookupDispatchAction
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38749>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38749
------- Additional Comments From niallp@apache.org 2006-02-22 16:12 -------
I agree we should fix this. We had a similar thing recently and not all servlet
containers we're affected - it depended on whether the container filtered the
output from the exception:
http://wiki.apache.org/struts/StrutsXssVulnerability
As a workaround in the meantime you have a few options:
1) Configure a Struts exception handler
2) Configure a custom error page for your servlet container
3) Have a custom LookupDispatchAction overriding the getLookupMapName() method:
protected String getLookupMapName(HttpServletRequest request,
String keyName, ActionMapping mapping)
throws ServletException {
try {
super.getLookupMapName(request, keyName, mapping);
} catch (Exception e) {
log.error("LookupDispatchAction error " + e);
throw new ServletException("Error in LookupDispatchAction");
}
}
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
DO NOT REPLY [Bug 38749] - XSS vulnerability in LookupDispatchAction
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38749>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38749
------- Additional Comments From paul4christ79@yahoo.com 2006-02-22 14:42 -------
I'll write up a patch for this ticket over the weekend. Tommy, so did it cause
the JavaScript alert box to popup?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org