You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Sean Ford (JIRA)" <ji...@apache.org> on 2010/03/19 18:24:27 UTC

[jira] Created: (WW-3410) XSS vulnerability in UrlHelper.java

XSS vulnerability in UrlHelper.java
-----------------------------------

                 Key: WW-3410
                 URL: https://issues.apache.org/jira/browse/WW-3410
             Project: Struts 2
          Issue Type: Bug
    Affects Versions: 2.1.8.1
            Reporter: Sean Ford


WebWise Security has discovered a XSS vulnerability in Struts 2.1.8.1. This particular vulnerability exists in UrlHelper.java and allows an attacker to execute arbitrary javascript that could be use to steal a user's session credentials or execute forced javascript redirects to phishing sites. This vulnerability manifests itself when the <s:url> tag is used with includeParams='all'.

Let's say there is an action (myAction.action) that serves a JSP Page with the following snippet:
<a href="<s:url includeParams="all"/>">My Link</a>

Attack 1:
/myAction.action?param"><sCript>alert('XSS');</sCript>=1

This is very similiar to the vulnerability in Security Bulletin S2-002; however, the implemented fix for S2-002 only checks for "<script>", not "<sCript>".

Attack 2:
/myAction.action?param"onMouseOver%3D"javascript:alert('XSS');">=1

Simply checking for <script> isn't sufficient because certain attributes can be injected to execute javascript. In attack 2, the user simply has to hover over the link with their mouse and arbitrary javascript will be executed.

I attached a possible fix as a patch. Essentially, both the key and value for a parameter must be escaped when creating the query string in UrlHelper.java.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (WW-3410) XSS vulnerability in UrlHelper.java

Posted by "Sean Ford (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/WW-3410?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sean Ford updated WW-3410:
--------------------------

    Attachment: URLHelper_XSS_Fix.patch

> XSS vulnerability in UrlHelper.java
> -----------------------------------
>
>                 Key: WW-3410
>                 URL: https://issues.apache.org/jira/browse/WW-3410
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.1.8.1
>            Reporter: Sean Ford
>         Attachments: URLHelper_XSS_Fix.patch
>
>
> WebWise Security has discovered a XSS vulnerability in Struts 2.1.8.1. This particular vulnerability exists in UrlHelper.java and allows an attacker to execute arbitrary javascript that could be use to steal a user's session credentials or execute forced javascript redirects to phishing sites. This vulnerability manifests itself when the <s:url> tag is used with includeParams='all'.
> Let's say there is an action (myAction.action) that serves a JSP Page with the following snippet:
> <a href="<s:url includeParams="all"/>">My Link</a>
> Attack 1:
> /myAction.action?param"><sCript>alert('XSS');</sCript>=1
> This is very similiar to the vulnerability in Security Bulletin S2-002; however, the implemented fix for S2-002 only checks for "<script>", not "<sCript>".
> Attack 2:
> /myAction.action?param"onMouseOver%3D"javascript:alert('XSS');">=1
> Simply checking for <script> isn't sufficient because certain attributes can be injected to execute javascript. In attack 2, the user simply has to hover over the link with their mouse and arbitrary javascript will be executed.
> I attached a possible fix as a patch. Essentially, both the key and value for a parameter must be escaped when creating the query string in UrlHelper.java.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (WW-3410) XSS vulnerability in UrlHelper.java

Posted by "Lukasz Lenart (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/WW-3410?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lukasz Lenart resolved WW-3410.
-------------------------------


Patch committed, thanks a lot!

> XSS vulnerability in UrlHelper.java
> -----------------------------------
>
>                 Key: WW-3410
>                 URL: https://issues.apache.org/jira/browse/WW-3410
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.1.8.1
>            Reporter: Sean Ford
>            Assignee: Lukasz Lenart
>             Fix For: 2.2.0
>
>         Attachments: URLHelper_XSS_Fix.patch
>
>
> WebWise Security has discovered a XSS vulnerability in Struts 2.1.8.1. This particular vulnerability exists in UrlHelper.java and allows an attacker to execute arbitrary javascript that could be use to steal a user's session credentials or execute forced javascript redirects to phishing sites. This vulnerability manifests itself when the <s:url> tag is used with includeParams='all'.
> Let's say there is an action (myAction.action) that serves a JSP Page with the following snippet:
> <a href="<s:url includeParams="all"/>">My Link</a>
> Attack 1:
> /myAction.action?param"><sCript>alert('XSS');</sCript>=1
> This is very similiar to the vulnerability in Security Bulletin S2-002; however, the implemented fix for S2-002 only checks for "<script>", not "<sCript>".
> Attack 2:
> /myAction.action?param"onMouseOver%3D"javascript:alert('XSS');">=1
> Simply checking for <script> isn't sufficient because certain attributes can be injected to execute javascript. In attack 2, the user simply has to hover over the link with their mouse and arbitrary javascript will be executed.
> I attached a possible fix as a patch. Essentially, both the key and value for a parameter must be escaped when creating the query string in UrlHelper.java.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-3410) XSS vulnerability in UrlHelper.java

Posted by "Sean Ford (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/WW-3410?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12848216#action_12848216 ] 

Sean Ford commented on WW-3410:
-------------------------------

Whether or not includeParams="get" is vulnerable depends on the browser and if ticket WW-3411 is fixed.

Browsers (at least my tests with Firefox 3 and Chrome) will automatically URL encode the query string before sending it to the web server. Due to bug WW-3411, the keys in the query string will remain encoded when outputted back to the page with includeParams="get". So, includesParams="get" in Struts 2.1.8.1 shouldn't be vulnerable providing that the browser URL encodes the query string.

If WW-3411 is fixed, and WW-3410 is _not_ fixed, then includeParams="get" will definitely be vulnerable.

> XSS vulnerability in UrlHelper.java
> -----------------------------------
>
>                 Key: WW-3410
>                 URL: https://issues.apache.org/jira/browse/WW-3410
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.1.8.1
>            Reporter: Sean Ford
>         Attachments: URLHelper_XSS_Fix.patch
>
>
> WebWise Security has discovered a XSS vulnerability in Struts 2.1.8.1. This particular vulnerability exists in UrlHelper.java and allows an attacker to execute arbitrary javascript that could be use to steal a user's session credentials or execute forced javascript redirects to phishing sites. This vulnerability manifests itself when the <s:url> tag is used with includeParams='all'.
> Let's say there is an action (myAction.action) that serves a JSP Page with the following snippet:
> <a href="<s:url includeParams="all"/>">My Link</a>
> Attack 1:
> /myAction.action?param"><sCript>alert('XSS');</sCript>=1
> This is very similiar to the vulnerability in Security Bulletin S2-002; however, the implemented fix for S2-002 only checks for "<script>", not "<sCript>".
> Attack 2:
> /myAction.action?param"onMouseOver%3D"javascript:alert('XSS');">=1
> Simply checking for <script> isn't sufficient because certain attributes can be injected to execute javascript. In attack 2, the user simply has to hover over the link with their mouse and arbitrary javascript will be executed.
> I attached a possible fix as a patch. Essentially, both the key and value for a parameter must be escaped when creating the query string in UrlHelper.java.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-3410) XSS vulnerability in UrlHelper.java

Posted by "Dale Newfield (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/WW-3410?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12848203#action_12848203 ] 

Dale Newfield commented on WW-3410:
-----------------------------------

Wouldn't this also be an issue with includeParams="get" ?
(And wasn't that the default for much of struts2's lifetime?)

-Dale

> XSS vulnerability in UrlHelper.java
> -----------------------------------
>
>                 Key: WW-3410
>                 URL: https://issues.apache.org/jira/browse/WW-3410
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.1.8.1
>            Reporter: Sean Ford
>         Attachments: URLHelper_XSS_Fix.patch
>
>
> WebWise Security has discovered a XSS vulnerability in Struts 2.1.8.1. This particular vulnerability exists in UrlHelper.java and allows an attacker to execute arbitrary javascript that could be use to steal a user's session credentials or execute forced javascript redirects to phishing sites. This vulnerability manifests itself when the <s:url> tag is used with includeParams='all'.
> Let's say there is an action (myAction.action) that serves a JSP Page with the following snippet:
> <a href="<s:url includeParams="all"/>">My Link</a>
> Attack 1:
> /myAction.action?param"><sCript>alert('XSS');</sCript>=1
> This is very similiar to the vulnerability in Security Bulletin S2-002; however, the implemented fix for S2-002 only checks for "<script>", not "<sCript>".
> Attack 2:
> /myAction.action?param"onMouseOver%3D"javascript:alert('XSS');">=1
> Simply checking for <script> isn't sufficient because certain attributes can be injected to execute javascript. In attack 2, the user simply has to hover over the link with their mouse and arbitrary javascript will be executed.
> I attached a possible fix as a patch. Essentially, both the key and value for a parameter must be escaped when creating the query string in UrlHelper.java.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.