You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2015/08/25 11:08:38 UTC
svn commit: r963024 - /websites/production/struts/content/docs/s2-025.html
Author: lukaszlenart
Date: Tue Aug 25 09:08:37 2015
New Revision: 963024
Log:
Updates production
Modified:
websites/production/struts/content/docs/s2-025.html
Modified: websites/production/struts/content/docs/s2-025.html
==============================================================================
--- websites/production/struts/content/docs/s2-025.html (original)
+++ websites/production/struts/content/docs/s2-025.html Tue Aug 25 09:08:37 2015
@@ -125,7 +125,7 @@ under the License.
<div class="pagecontent">
<div class="wiki-content">
- <div id="ConfluenceContent"><h2 id="S2-025-Summary">Summary</h2>Cross-Site Scripting Vulnerability in Debug Mode<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span>A</span><span>ffects of a cross-site scripting vulnerability </span>when debug mode is switched on in production environment.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Turn off debug mode in production environment. An upgr
ade to <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts2320">Struts 2.3.20</a> is recommended.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.16.3</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">Taki Uchiyama, JPCERT/CC</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2015-5169</p></td></tr></tbody></table></div><h2 id="S2-025-Problem">Problem</h2><p>When the Struts2 debug mode is turned on, under certain conditions an arbitrary script may be executed in the 'Problem Report' screen.</p><h2 id="S2-025-Solution">Solution</h2><p>It is g
enerally not advisable to have debug mode switched on outside of the development environment. Debug mode should always be turned off in production setup. Also never expose JSPs files directly and hide them inside <code>WEB-INF</code> folder or define dedicated security constraints to block access to raw JSP files. Please also ready our <a shape="rect" href="security.html">Security</a> guide - it contains useful informations how to secure your application.</p><p>Struts >= 2.3.20 is not vulnerable to this attack. We recommend upgrading to Struts 2.3.20 or higher.</p><h2 id="S2-025-Backwardcompatibility">Backward compatibility</h2><p>No backward compatibility problems are expected.</p><h2 id="S2-025-Workaround">Workaround</h2><h2 id="S2-025-UpgradetoStruts2.3.20"><span style="font-size: 14.0px;line-height: 20.0px;">Upgrade to Struts 2.3.20</span></h2><p><span style="font-size: 14.0px;line-height: 1.4285715;"><br clear="none"></span></p></div>
+ <div id="ConfluenceContent"><h2 id="S2-025-Summary">Summary</h2>Cross-Site Scripting Vulnerability in Debug Mode<div class="table-wrap"><table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All Struts 2 developers and users</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span>A</span><span>ffects of a cross-site scripting vulnerability </span>when debug mode is switched on in production environment.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Low</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Turn off debug mode in production environment. An upgr
ade to <a shape="rect" class="external-link" href="http://struts.apache.org/download.cgi#struts2320">Struts 2.3.20</a> is recommended.</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Struts 2.0.0 - Struts <span style="color: rgb(23,35,59);">Struts 2.3.16.3</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p><span style="color: rgb(34,34,34);">Taki Uchiyama, JPCERT/CC</span></p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>CVE-2015-5169</p></td></tr></tbody></table></div><h2 id="S2-025-Problem">Problem</h2><p>When the Struts2 debug mode is turned on, under certain conditions an arbitrary script may be executed in the 'Problem Report' screen.</p><h2 id="S2-025-Solution">Solution</h2><p>It is g
enerally not advisable to have debug mode switched on outside of the development environment. Debug mode should always be turned off in production setup. Also never expose JSPs files directly and hide them inside <code>WEB-INF</code> folder or define dedicated security constraints to block access to raw JSP files. Please also ready our <a shape="rect" href="security.html">Security</a> guide - it contains useful informations how to secure your application.</p><p>Struts >= 2.3.20 is not vulnerable to this attack. We recommend upgrading to Struts 2.3.20 or higher.</p><h2 id="S2-025-Backwardcompatibility">Backward compatibility</h2><p>No backward compatibility problems are expected.</p><h2 id="S2-025-Workaround">Workaround</h2><p>Upgrade to Struts 2.3.20</p><p><span style="font-size: 14.0px;line-height: 1.4285715;"><br clear="none"></span></p></div>
</div>