You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Rene Gielen <rg...@apache.org> on 2011/05/11 08:13:24 UTC

[ANN][SECURITY] Security Announcement: XSS Vulnerability in Struts 2 before 2.2.3

Problem:
--------
A security vulnerability affecting all versions of Struts 2 before
Struts 2.2.3 has been reported by Dr. Marian Ventuneac (Genworth). The
vulnerability allows an attacker to inject malicious client side
Javascript code in Struts 2 based applications that have Dynamic Method
Invocation allowed (which is the default) AND do not have a global error
handling page configured.

For further details, see:
https://cwiki.apache.org/WW/s2-006.html
https://issues.apache.org/jira/browse/WW-3579

Solution:
---------
We advice all users of Struts 2 for all their Struts 2 based
applications to either

upgrade to Struts 2.2.3, which fixes the issue; it can be obtained from
http://struts.apache.org/download.cgi#struts223

or

disable Dynamic Method Invocation in struts.xml, as described in
https://cwiki.apache.org/WW/s2-006.html

or

define a global error page in struts.xml, as described in
https://cwiki.apache.org/WW/s2-006.html


- The Apache Struts Team.

-- 
René Gielen
http://twitter.com/rgielen

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org