[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Apache Struts 2 Multiple Reflected XSS in XWork error pages
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Apache Struts 2 Multiple Reflected XSS in XWork error pages
- From: marian.ventuneac@xxxxxxxxx
- Date: Tue, 10 May 2011 15:15:30 -0600
Security Advisory: MVSA-11-006
CVE: CVE-2011-1772
Vendor: Apache Software Foundation
Product: Struts 2 Framework
Vulnerabilities: Multiple Reflected XSS in XWork error pages
Risk: High
Attack Vector: From Remote
Authentication: Not Required
References:
-
http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html
- https://issues.apache.org/jira/browse/WW-3579
- http://struts.apache.org/2.x/doc/s2-006.html
Description
Apache Struts 2 framework before version 2.2.3 is vulnerable to reflected
Cross-Site Scripting (XSS) attacks when default XWork generated error messages
are displayed. User provided data is not properly escaped before being included
in XWork generated errors, thus allowing successful reflected XSS attacks as
described below.
1. XSS payload injected in the name of the requested Struts actions (Dynamic
Method Invocation not enabled)
http://test.app.net/home<img>.action
2. Reflected XSS vulnerabilities in <s:submit> tag using bash syntax with
Dynamic Method Invocation (DMI) enabled
a. Reflected XSS via action attribute of <s:submit> tag
http://test.app.net/home.action?user=&password=&action!login<script>alert(document.cookie)
</script>:cantLogin=some_value
b. Reflected XSS via method attribute of <s:submit> tag
http://test.app.net/home.action?user=&password=&action!login:cantLogin<script>alert(document.cookie
</script>=some_value
Affected Versions
All releases of Apache Struts 2 framework prior to 2.2.3 were found vulnerable
to the above attacks.
Other open source and commercial products using XWork framework could be
vulnerable to similar attacks.
WebWork framework released by OpenSymphony (http://opensymphony.org) was
confirmed as vulnerable to the attacks described in this advisory.
Mitigation
It is recommended to upgrade to Apache Struts 2.2.3 released on 5th of May
2011, or to the latest available version.
Alternatively, it is recommended to implement a custom error page (eg.
error_page.jsp) which either uses proper output encoding to display XWork
generated errors or displays a generic error message. An example of required
configuration in struts.xml file is shown below:
?
<global-results>
<result name="error">/error_page.jsp</result>
</global-results>
<global-exception-mappings>
<exception-mapping exception="java.lang.Exception" result="error"/>
</global-exception-mappings>
?
Disclosure Timeline
2011, February 18: Vulnerabilities discovered and documented
2011, February 18: First notification sent to Apache
2011, February 21: Second notification sent to Apache
2011, February 22: WW-3579 JIRA ticket created
2011, February 22: Apache acknowledges receiving the report
2011, February 22: Apache acknowledges the vulnerabilities
2011, March 27: Apache Struts 2.2.2 test build released
2011, April 8: Apache Struts 2.2.3 test build released
2011, May 5: Apache Struts 2.2.3 general availability build released
2011, May 11: MVSA-11-006 advisory published.
Credits
Dr. Marian Ventuneac
http://www.ventuneac.net