You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Gareth Faires (JIRA)" <ji...@apache.org> on 2011/03/23 12:56:06 UTC
[jira] [Created] (WW-3597) XSS vulnerability in javatemplates
plugin
XSS vulnerability in javatemplates plugin
-----------------------------------------
Key: WW-3597
URL: https://issues.apache.org/jira/browse/WW-3597
Project: Struts 2
Issue Type: Bug
Components: Plugin - Java Templates
Affects Versions: 2.2.1.1
Reporter: Gareth Faires
Priority: Critical
Attachments: javatemplates-xss.patch
Many of the component handlers do not escape the value attribute. In fact they have been deliberately set to not escape their output. This enables reflective XSS on any page which uses the struts tags where the value is not manually escaped.
The javatemplates plugin is increasingly being used instead of the default Freemarker renderer because of its performance benefits. The Freemarker renderer escapes values correclty therefore switching over to the javatemplates plugin can automatically make your website vulnerable.
Also, the documentation should make it very clear which attributes are not encoded, for example, the anchor tag's href attribute is not encoded, therefore if you don't use the url tag to construct your url, then you need to make sure you escape any untrusted data you use to construct the url.
I have updated all of the javatemplates plugins' tag handlers to be consistent with the Freemarker renderer and will attach a patch.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3597) XSS vulnerability in javatemplates
plugin
Posted by "Gareth Faires (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3597?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13010246#comment-13010246 ]
Gareth Faires commented on WW-3597:
-----------------------------------
If we take the textfield tag as an example, the default Freemarker engine, see text.ftl, constructs the value attribute as follows:
<#if parameters.nameValue??>
value="<@s.property value="parameters.nameValue"/>"<#rt/>
</#if>
This uses the property tag which, by default, escapes the output.
Contrast this with the TextFieldHandler, which explicitly doesn't encode the value attribute.
.addIfExists("value", params.get("nameValue"), false)
To see this vulnerability in action, go to a form page with a url like:
/SomeAction.action?anInputField="/><script>alert("XSS Flaw")</script>
With the Freemarker engine, the value is properly escaped, but with the javatemplates engine, you get the alert box.
> XSS vulnerability in javatemplates plugin
> -----------------------------------------
>
> Key: WW-3597
> URL: https://issues.apache.org/jira/browse/WW-3597
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Java Templates
> Affects Versions: 2.2.1.1
> Reporter: Gareth Faires
> Assignee: Maurizio Cucchiara
> Priority: Critical
> Attachments: javatemplates-xss.patch
>
>
> Many of the component handlers do not escape the value attribute. In fact they have been deliberately set to not escape their output. This enables reflective XSS on any page which uses the struts tags where the value is not manually escaped.
> The javatemplates plugin is increasingly being used instead of the default Freemarker renderer because of its performance benefits. The Freemarker renderer escapes values correclty therefore switching over to the javatemplates plugin can automatically make your website vulnerable.
> Also, the documentation should make it very clear which attributes are not encoded, for example, the anchor tag's href attribute is not encoded, therefore if you don't use the url tag to construct your url, then you need to make sure you escape any untrusted data you use to construct the url.
> I have updated all of the javatemplates plugins' tag handlers to be consistent with the Freemarker renderer and will attach a patch.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (WW-3597) XSS vulnerability in
javatemplates plugin
Posted by "Gareth Faires (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3597?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13010246#comment-13010246 ]
Gareth Faires edited comment on WW-3597 at 3/23/11 5:38 PM:
------------------------------------------------------------
If we take the textfield tag as an example, the default Freemarker engine, see text.ftl, constructs the value attribute as follows:
<#if parameters.nameValue??>
value="<@s.property value="parameters.nameValue"/>"<#rt/>
</#if>
This uses the property tag which, by default, escapes the output.
Contrast this with the TextFieldHandler, which explicitly doesn't encode the value attribute.
.addIfExists("value", params.get("nameValue"), false)
To see this vulnerability in action, go to a form page with a url like:
/SomeAction.action?anInputField="/><script>alert("XSS Flaw")</script>
With the default Freemarker engine, the value is properly escaped, but with the javatemplates engine, you get the alert box.
was (Author: gfaires):
If we take the textfield tag as an example, the default Freemarker engine, see text.ftl, constructs the value attribute as follows:
<#if parameters.nameValue??>
value="<@s.property value="parameters.nameValue"/>"<#rt/>
</#if>
This uses the property tag which, by default, escapes the output.
Contrast this with the TextFieldHandler, which explicitly doesn't encode the value attribute.
.addIfExists("value", params.get("nameValue"), false)
To see this vulnerability in action, go to a form page with a url like:
/SomeAction.action?anInputField="/><script>alert("XSS Flaw")</script>
With the Freemarker engine, the value is properly escaped, but with the javatemplates engine, you get the alert box.
> XSS vulnerability in javatemplates plugin
> -----------------------------------------
>
> Key: WW-3597
> URL: https://issues.apache.org/jira/browse/WW-3597
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Java Templates
> Affects Versions: 2.2.1.1
> Reporter: Gareth Faires
> Assignee: Maurizio Cucchiara
> Priority: Critical
> Attachments: javatemplates-xss.patch
>
>
> Many of the component handlers do not escape the value attribute. In fact they have been deliberately set to not escape their output. This enables reflective XSS on any page which uses the struts tags where the value is not manually escaped.
> The javatemplates plugin is increasingly being used instead of the default Freemarker renderer because of its performance benefits. The Freemarker renderer escapes values correclty therefore switching over to the javatemplates plugin can automatically make your website vulnerable.
> Also, the documentation should make it very clear which attributes are not encoded, for example, the anchor tag's href attribute is not encoded, therefore if you don't use the url tag to construct your url, then you need to make sure you escape any untrusted data you use to construct the url.
> I have updated all of the javatemplates plugins' tag handlers to be consistent with the Freemarker renderer and will attach a patch.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (WW-3597) XSS vulnerability in javatemplates
plugin
Posted by "Maurizio Cucchiara (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3597?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maurizio Cucchiara reassigned WW-3597:
--------------------------------------
Assignee: Maurizio Cucchiara
> XSS vulnerability in javatemplates plugin
> -----------------------------------------
>
> Key: WW-3597
> URL: https://issues.apache.org/jira/browse/WW-3597
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Java Templates
> Affects Versions: 2.2.1.1
> Reporter: Gareth Faires
> Assignee: Maurizio Cucchiara
> Priority: Critical
> Attachments: javatemplates-xss.patch
>
>
> Many of the component handlers do not escape the value attribute. In fact they have been deliberately set to not escape their output. This enables reflective XSS on any page which uses the struts tags where the value is not manually escaped.
> The javatemplates plugin is increasingly being used instead of the default Freemarker renderer because of its performance benefits. The Freemarker renderer escapes values correclty therefore switching over to the javatemplates plugin can automatically make your website vulnerable.
> Also, the documentation should make it very clear which attributes are not encoded, for example, the anchor tag's href attribute is not encoded, therefore if you don't use the url tag to construct your url, then you need to make sure you escape any untrusted data you use to construct the url.
> I have updated all of the javatemplates plugins' tag handlers to be consistent with the Freemarker renderer and will attach a patch.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (WW-3597) XSS vulnerability in
javatemplates plugin
Posted by "Maurizio Cucchiara (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3597?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13010220#comment-13010220 ]
Maurizio Cucchiara edited comment on WW-3597 at 3/23/11 5:06 PM:
-----------------------------------------------------------------
I'm pretty sure that default template engine escapes every value attributes, have you checked if this behavior adheres to the other template engines?
was (Author: maurizio.cucchiara):
I'm pretty sure that default template engine escapes every value attributes, have you checked if this behavior adheres to the other template engine?
> XSS vulnerability in javatemplates plugin
> -----------------------------------------
>
> Key: WW-3597
> URL: https://issues.apache.org/jira/browse/WW-3597
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Java Templates
> Affects Versions: 2.2.1.1
> Reporter: Gareth Faires
> Priority: Critical
> Attachments: javatemplates-xss.patch
>
>
> Many of the component handlers do not escape the value attribute. In fact they have been deliberately set to not escape their output. This enables reflective XSS on any page which uses the struts tags where the value is not manually escaped.
> The javatemplates plugin is increasingly being used instead of the default Freemarker renderer because of its performance benefits. The Freemarker renderer escapes values correclty therefore switching over to the javatemplates plugin can automatically make your website vulnerable.
> Also, the documentation should make it very clear which attributes are not encoded, for example, the anchor tag's href attribute is not encoded, therefore if you don't use the url tag to construct your url, then you need to make sure you escape any untrusted data you use to construct the url.
> I have updated all of the javatemplates plugins' tag handlers to be consistent with the Freemarker renderer and will attach a patch.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WW-3597) XSS vulnerability in javatemplates
plugin
Posted by "Gareth Faires (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3597?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gareth Faires updated WW-3597:
------------------------------
Attachment: javatemplates-xss.patch
> XSS vulnerability in javatemplates plugin
> -----------------------------------------
>
> Key: WW-3597
> URL: https://issues.apache.org/jira/browse/WW-3597
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Java Templates
> Affects Versions: 2.2.1.1
> Reporter: Gareth Faires
> Priority: Critical
> Attachments: javatemplates-xss.patch
>
>
> Many of the component handlers do not escape the value attribute. In fact they have been deliberately set to not escape their output. This enables reflective XSS on any page which uses the struts tags where the value is not manually escaped.
> The javatemplates plugin is increasingly being used instead of the default Freemarker renderer because of its performance benefits. The Freemarker renderer escapes values correclty therefore switching over to the javatemplates plugin can automatically make your website vulnerable.
> Also, the documentation should make it very clear which attributes are not encoded, for example, the anchor tag's href attribute is not encoded, therefore if you don't use the url tag to construct your url, then you need to make sure you escape any untrusted data you use to construct the url.
> I have updated all of the javatemplates plugins' tag handlers to be consistent with the Freemarker renderer and will attach a patch.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WW-3597) XSS vulnerability in javatemplates
plugin
Posted by "Maurizio Cucchiara (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3597?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13010220#comment-13010220 ]
Maurizio Cucchiara commented on WW-3597:
----------------------------------------
I'm pretty sure that default template engine escapes every value attributes, have you checked if this behavior adheres to the other template engine?
> XSS vulnerability in javatemplates plugin
> -----------------------------------------
>
> Key: WW-3597
> URL: https://issues.apache.org/jira/browse/WW-3597
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Java Templates
> Affects Versions: 2.2.1.1
> Reporter: Gareth Faires
> Priority: Critical
> Attachments: javatemplates-xss.patch
>
>
> Many of the component handlers do not escape the value attribute. In fact they have been deliberately set to not escape their output. This enables reflective XSS on any page which uses the struts tags where the value is not manually escaped.
> The javatemplates plugin is increasingly being used instead of the default Freemarker renderer because of its performance benefits. The Freemarker renderer escapes values correclty therefore switching over to the javatemplates plugin can automatically make your website vulnerable.
> Also, the documentation should make it very clear which attributes are not encoded, for example, the anchor tag's href attribute is not encoded, therefore if you don't use the url tag to construct your url, then you need to make sure you escape any untrusted data you use to construct the url.
> I have updated all of the javatemplates plugins' tag handlers to be consistent with the Freemarker renderer and will attach a patch.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (WW-3597) XSS vulnerability in javatemplates
plugin
Posted by "Maurizio Cucchiara (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WW-3597?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maurizio Cucchiara resolved WW-3597.
------------------------------------
Resolution: Fixed
Fix Version/s: 2.2.2
Patch applied.
Thanks Gareth
> XSS vulnerability in javatemplates plugin
> -----------------------------------------
>
> Key: WW-3597
> URL: https://issues.apache.org/jira/browse/WW-3597
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Java Templates
> Affects Versions: 2.2.1.1
> Reporter: Gareth Faires
> Assignee: Maurizio Cucchiara
> Priority: Critical
> Fix For: 2.2.2
>
> Attachments: javatemplates-xss.patch
>
>
> Many of the component handlers do not escape the value attribute. In fact they have been deliberately set to not escape their output. This enables reflective XSS on any page which uses the struts tags where the value is not manually escaped.
> The javatemplates plugin is increasingly being used instead of the default Freemarker renderer because of its performance benefits. The Freemarker renderer escapes values correclty therefore switching over to the javatemplates plugin can automatically make your website vulnerable.
> Also, the documentation should make it very clear which attributes are not encoded, for example, the anchor tag's href attribute is not encoded, therefore if you don't use the url tag to construct your url, then you need to make sure you escape any untrusted data you use to construct the url.
> I have updated all of the javatemplates plugins' tag handlers to be consistent with the Freemarker renderer and will attach a patch.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira