struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Ford (JIRA)" <>
Subject [jira] Updated: (WW-3410) XSS vulnerability in
Date Fri, 19 Mar 2010 17:26:27 GMT


Sean Ford updated WW-3410:

    Attachment: URLHelper_XSS_Fix.patch

> XSS vulnerability in
> -----------------------------------
>                 Key: WW-3410
>                 URL:
>             Project: Struts 2
>          Issue Type: Bug
>    Affects Versions:
>            Reporter: Sean Ford
>         Attachments: URLHelper_XSS_Fix.patch
> WebWise Security has discovered a XSS vulnerability in Struts This particular
vulnerability exists in and allows an attacker to execute arbitrary javascript
that could be use to steal a user's session credentials or execute forced javascript redirects
to phishing sites. This vulnerability manifests itself when the <s:url> tag is used
with includeParams='all'.
> Let's say there is an action (myAction.action) that serves a JSP Page with the following
> <a href="<s:url includeParams="all"/>">My Link</a>
> Attack 1:
> /myAction.action?param"><sCript>alert('XSS');</sCript>=1
> This is very similiar to the vulnerability in Security Bulletin S2-002; however, the
implemented fix for S2-002 only checks for "<script>", not "<sCript>".
> Attack 2:
> /myAction.action?param"onMouseOver%3D"javascript:alert('XSS');">=1
> Simply checking for <script> isn't sufficient because certain attributes can be
injected to execute javascript. In attack 2, the user simply has to hover over the link with
their mouse and arbitrary javascript will be executed.
> I attached a possible fix as a patch. Essentially, both the key and value for a parameter
must be escaped when creating the query string in

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message