You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Antonio Petrelli (JIRA)" <ji...@apache.org> on 2008/01/14 16:38:04 UTC

[jira] Updated: (WW-2414) Tags and do not encode URLs

     [ https://issues.apache.org/struts/browse/WW-2414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Antonio Petrelli updated WW-2414:
---------------------------------

    Component/s: Plugin - Tags
    Description: 
The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.

This is the original description from Fabio Gandola.

-------------
I download the struts2-blank-2.0.11 application.

I place it in the webapps directory of Tomcat and I execute it. It works.

I place in example, the file XSS.jsp written this way:

______
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="s" uri="/struts-tags"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<s:url id="xssTest" action="test" namespace="/test" encode="true" />
<s:a href="%{xssTest}">XSS Test</s:a>
</body>
</html>
______

I'm setting encode="true". But if I load on Internet Explorer 6:

http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>

The javascript is executed.. and this can be used for XSS stuff.
I looked into the class:

org.apache.struts2.components.URL 
Revision 595746

And I don't understand where the encode properties is used.
Is this the right behaviour of encode attribute?

EDIT: After doing some more tests, I noticed that I do:

_____
<s:url id="xssTest" action="test" namespace="/test" encode="true">
<s:param name="myvar" value="%{'< > &'}" />
</s:url>
<s:a href="%{xssTest}">XSS Test</s:a>
_____

The characters < > & are encoded, and so.. this is ok.
The funny thing is that it happens too if I set encode="false"

However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?

Thank you.

  was:
I download the struts2-blank-2.0.11 application.

I place it in the webapps directory of Tomcat and I execute it. It works.

I place in example, the file XSS.jsp written this way:

______
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<%@ taglib prefix="s" uri="/struts-tags"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<s:url id="xssTest" action="test" namespace="/test" encode="true" />
<s:a href="%{xssTest}">XSS Test</s:a>
</body>
</html>
______

I'm setting encode="true". But if I load on Internet Explorer 6:

http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>

The javascript is executed.. and this can be used for XSS stuff.
I looked into the class:

org.apache.struts2.components.URL 
Revision 595746

And I don't understand where the encode properties is used.
Is this the right behaviour of encode attribute?

EDIT: After doing some more tests, I noticed that I do:

_____
<s:url id="xssTest" action="test" namespace="/test" encode="true">
<s:param name="myvar" value="%{'< > &'}" />
</s:url>
<s:a href="%{xssTest}">XSS Test</s:a>
_____

The characters < > & are encoded, and so.. this is ok.
The funny thing is that it happens too if I set encode="false"

However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?

Thank you.

       Priority: Critical  (was: Major)
        Summary: Tags <s:url> and <s:a> do not encode URLs  (was: encode attribute of <s:url ... />)

Edited the description to be more concise

> Tags <s:url> and <s:a> do not encode URLs
> -----------------------------------------
>
>                 Key: WW-2414
>                 URL: https://issues.apache.org/struts/browse/WW-2414
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Tags
>    Affects Versions: 2.0.11
>         Environment: tomcat 6.0.14, jdk 1.6.0_03
>            Reporter: Fabio
>            Priority: Critical
>             Fix For: 2.1.1
>
>
> The <s:url> tag does not encode the URL parameters when specified in the "action" attribute. This can lead to a possible XSS attack or invalid URLs.
> Moreover, <s:a> does not encode the value in "href" attribute, that can create invalid HTML code and XSS attacks.
> This is the original description from Fabio Gandola.
> -------------
> I download the struts2-blank-2.0.11 application.
> I place it in the webapps directory of Tomcat and I execute it. It works.
> I place in example, the file XSS.jsp written this way:
> ______
> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>     pageEncoding="ISO-8859-1"%>
> <%@ taglib prefix="s" uri="/struts-tags"%>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
> <title>Insert title here</title>
> </head>
> <body>
> <s:url id="xssTest" action="test" namespace="/test" encode="true" />
> <s:a href="%{xssTest}">XSS Test</s:a>
> </body>
> </html>
> ______
> I'm setting encode="true". But if I load on Internet Explorer 6:
> http://localhost:8080/struts2-blank-2.0.11/example/XSS.jsp?>'"><script>alert('Hello World')</script>
> The javascript is executed.. and this can be used for XSS stuff.
> I looked into the class:
> org.apache.struts2.components.URL 
> Revision 595746
> And I don't understand where the encode properties is used.
> Is this the right behaviour of encode attribute?
> EDIT: After doing some more tests, I noticed that I do:
> _____
> <s:url id="xssTest" action="test" namespace="/test" encode="true">
> <s:param name="myvar" value="%{'< > &'}" />
> </s:url>
> <s:a href="%{xssTest}">XSS Test</s:a>
> _____
> The characters < > & are encoded, and so.. this is ok.
> The funny thing is that it happens too if I set encode="false"
> However I think that the fact the passed query string is not encoded.. (or at least I have not found a way) can give security problems? or this should be checked by the programmer?
> Thank you.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.