S2-006 - Apache Struts 2 Wiki - Apache Software Foundation
DUE TO SPAM, SIGN-UP IS DISABLED. Goto
Selfserve wiki signup
and request an account.
Apache Struts 2 Wiki
Child pages
Security Bulletins
S2-006
Browse pages
tachments (0)
Page History
Resolved comments
Page Information
View in Hierarchy
View Source
Export to PDF
Export to Word
Copy Page Tree
Jira links
S2-006
Created by
Lukasz Lenart
, last modified by
René Gielen
on
May 10, 2011
Summary
Multiple Cross-Site Scripting (XSS) in XWork generated error pages
Who should read this
All Struts 2 developers
Impact of vulnerability
Injection of malicious client side code
Maximum security rating
Important
Recommendation
Developers should either upgrade to
Struts 2.2.3
or apply the configuration changes described below
Affected Software
Struts 2.0.0 - Struts 2.2.1.1
Original JIRA Tickets
WW-3579
Reporter
Dr. Marian Ventuneac, Genworth
CVE Identifier
CVE-2011-1772
Problem
By default, XWork doesn't escape action's names in automatically generated error page, allowing for a successful XSS attack. When Dynamic Method Invocation (DMI) is enabled, the action name is generated dynamically base on request parameters. This allows to call non-existing page and method to produce error page with injected code as below
=some_value
A more detailed description is found in the referenced JIRA ticket.
Solution
As of
Struts 2.2.3
the action names are escaped when automatically generated error pages are rendered.
When staying with earlier releases, developers should either
Disable DMI support in struts.xml
or
Define error page in struts.xml (as below)
You can obtain
Struts 2.2.3
here.
No labels
Overview
Content Tools
Atlassian Confluence Open Source Project License
granted to Apache Software Foundation.
Evaluate Confluence today
Atlassian Confluence
8.5.31
Printed by Atlassian Confluence 8.5.31
Report a bug
Atlassian News
Atlassian
{"serverDuration": 52, "requestCorrelationId": "c78fb139859d46a1"}