struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niall Pemberton (JIRA)" <j...@apache.org>
Subject [jira] Commented: (STR-3191) Sufficently filter HTML tag attribute names and values
Date Tue, 22 Sep 2009 19:36:52 GMT

    [ https://issues.apache.org/struts/browse/STR-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46820#action_46820
] 

Niall Pemberton commented on STR-3191:
--------------------------------------

Firstly apologies for the lateness in this response.

I have looked through the links for this vulnerability and the description is very vague...

"allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related
to "insufficient quoting of parameters."

...and I can find nothing that demonstrates how there is an XSS vulnerability.

The original fix sent to the Struts PMC involved filtering the attribute names and values
in BaseHandlerTag's prepareAttribute() method:

{code}
protected void prepareAttribute(StringBuffer handlers, String name,
    Object value) {
    if (value != null) {
        handlers.append(" ");
        handlers.append(TagUtils.getInstance().filter(name));
        handlers.append("=\"");
        handlers.append(TagUtils.getInstance().filter(value.toString()));
        handlers.append("\"");
     }
}
{code}

I can't see how either of these values can be subject to an XSS vulnerability since neither
are taken from user input. The attribute names are all values hard coded in tags that extend
from BaseHandlerTag and the values are from JSP pages created by the webapp developer - not
from user input.

I would like to see an example of how an XSS vulnerability can occur with these tags/attributes
otherwise I think we should revert the change.

> Sufficently filter HTML tag attribute names and values
> ------------------------------------------------------
>
>                 Key: STR-3191
>                 URL: https://issues.apache.org/struts/browse/STR-3191
>             Project: Struts 1
>          Issue Type: Bug
>          Components: Tag Libraries
>    Affects Versions: 1.2.9, 1.3.10
>            Reporter: Paul Benedict
>            Assignee: Paul Benedict
>            Priority: Blocker
>             Fix For: 1.3.11, 1.4.0
>
>         Attachments: STR-3191-patch.txt
>
>
> Allows remote attackers to inject arbitrary web script or HTML via unspecified vectors
related to insufficient quoting of parameters. 
> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025
> * http://support.novell.com/security/cve/CVE-2008-2025.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message