You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Lukasz Lenart (Jira)" <ji...@apache.org> on 2023/06/28 07:00:00 UTC

[jira] [Updated] (WW-4625) Struts 2 XSS vulnerability with when is used.

     [ https://issues.apache.org/jira/browse/WW-4625?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lukasz Lenart updated WW-4625:
------------------------------
    Fix Version/s: 6.4.0
                       (was: 6.2.0)

> Struts 2 XSS vulnerability with <s:textfield> when <s:include> is used.
> -----------------------------------------------------------------------
>
>                 Key: WW-4625
>                 URL: https://issues.apache.org/jira/browse/WW-4625
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions: 2.3.24, 2.3.28
>         Environment: Operating System: Windows 7(N/A).
> Application Server: Tomcat 6(any server running on JRE1.6 or before JRE).
> Java: jdk1.5.0.11.
> Developloment Framework: Struts 2.3.28, 2.3.24.1.
> Browser: FireFox 38.0.1.
>            Reporter: Naozumi Taromaru
>            Priority: Major
>              Labels: struts2, vulnerability, xss
>             Fix For: 6.4.0
>
>
> <s:include> tag and JspTemplateEngine use
> org.apache.struts2.components.Include#include.
> (I use <s:include> tag.)
> The included page is encoded by response character encoding(default is ISO-8859-1(ServletResponse)).
> But encoded result is decoded by 'request' character encoding(default is UTF-8(@Inject(StrutsConstants.STRUTS_I18N_ENCODING))).
> org.apache.struts2.components.Include use wrong character encoding.
> If request and response character encoding are specifically configured to same character encoding,
> there are no problems.
> However, if request and response character encoding are not specifically configured,
> (or <%@ page contentType="text/html; charset=ISO-8859-1" %> is written in JSP only,)
> the included page is encoded by ISO-8859-1 and decoded by UTF-8.
> By using old decoding rule of UTF-8(enable on JRE1.5.0_16 or before and JRE1.6.0_10 or before),
> XSS vulnerability occurs, even if input value is sanitized when output as <s:textfield>.
> Please refer to description of WW-4507 for sample attack parameter information.
> Please refer to my comment written in WW-4507 for more analysis information.
> P.S.
> I'm thinking WW-4507(S2-028) has been caused by this.
> (WW-4507(S2-028) is not fixed in 2.3.28.)
> But if it's different, please show the hidden reproduction condition to WW-4507.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)