struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niall Pemberton (JIRA)" <j...@apache.org>
Subject [jira] Commented: (STR-3191) Sufficently filter HTML tag attribute names and values
Date Tue, 22 Sep 2009 20:50:48 GMT

    [ https://issues.apache.org/struts/browse/STR-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46822#action_46822
] 

Niall Pemberton commented on STR-3191:
--------------------------------------

Thanks for the response Vincent but the vulmerability shown here is in the JSP page - if a
developer writes a page that re-renders user input like that without filtering then they're
shooting themselves in the foot and they should fix their code. They could equally do excactly
the same tjhing without using Struts tags and you get exactly the same vulnerability:

------------------------------------------------------------------
<%@ taglib uri="/tags/struts-html" prefix="html" %>

<html>
<head>
<title>CVE-2008-2025 exploit test</title>
</head>
<body>

<img src="noone.gif" alt="<%= request.getParameter("alt") %>"/>

</body>
</html>
------------------------------------------------------------------ 

The problem is in the use of scriptlet to re-render unfiltered user input:
   <%= request.getParameter("alt") %>




> Sufficently filter HTML tag attribute names and values
> ------------------------------------------------------
>
>                 Key: STR-3191
>                 URL: https://issues.apache.org/struts/browse/STR-3191
>             Project: Struts 1
>          Issue Type: Bug
>          Components: Tag Libraries
>    Affects Versions: 1.2.9, 1.3.10
>            Reporter: Paul Benedict
>            Assignee: Paul Benedict
>            Priority: Blocker
>             Fix For: 1.3.11, 1.4.0
>
>         Attachments: STR-3191-patch.txt
>
>
> Allows remote attackers to inject arbitrary web script or HTML via unspecified vectors
related to insufficient quoting of parameters. 
> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025
> * http://support.novell.com/security/cve/CVE-2008-2025.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message