Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26351
HistoryMay 11, 2011 - 12:00 a.m.

Apache Struts 2 Multiple Reflected XSS in XWork error pages

2011-05-1100:00:00
vulners.com
39

Security Advisory: MVSA-11-006

CVE: CVE-2011-1772

Vendor: Apache Software Foundation

Product: Struts 2 Framework

Vulnerabilities: Multiple Reflected XSS in XWork error pages

Risk: High

Attack Vector: From Remote

Authentication: Not Required

References:

Description

Apache Struts 2 framework before version 2.2.3 is vulnerable to reflected Cross-Site Scripting
(XSS) attacks when default XWork generated error messages are displayed. User provided data is
not properly escaped before being included in XWork generated errors, thus allowing successful
reflected XSS attacks as described below.

  1. XSS payload injected in the name of the requested Struts actions (Dynamic Method Invocation
    not enabled)

     http://test.app.net/home<img>.action
    
  2. Reflected XSS vulnerabilities in <s:submit> tag using bash syntax with Dynamic Method
    Invocation (DMI) enabled

a. Reflected XSS via action attribute of <s:submit> tag

http://test.app.net/home.action?user=&amp;password=&amp;action!login&lt;script&gt;alert&#40;document.cookie&#41;
</script>:cantLogin=some_value

b. Reflected XSS via method attribute of <s:submit> tag

http://test.app.net/home.action?user=&amp;password=&amp;action!login:cantLogin&lt;script&gt;alert&#40;document.cookie
</script>=some_value

Affected Versions

All releases of Apache Struts 2 framework prior to 2.2.3 were found vulnerable to the above
attacks.

Other open source and commercial products using XWork framework could be vulnerable to similar
attacks.

WebWork framework released by OpenSymphony (http://opensymphony.org) was confirmed as
vulnerable to the attacks described in this advisory.

Mitigation

It is recommended to upgrade to Apache Struts 2.2.3 released on 5th of May 2011, or to the
latest available version.

Alternatively, it is recommended to implement a custom error page (eg. error_page.jsp) which
either uses proper output encoding to display XWork generated errors or displays a generic
error message. An example of required configuration in struts.xml file is shown below:

…
<global-results>
<result name="error">/error_page.jsp</result>
</global-results>
<global-exception-mappings>
<exception-mapping exception="java.lang.Exception" result="error"/>
</global-exception-mappings>
…

Disclosure Timeline

2011, February 18: Vulnerabilities discovered and documented
2011, February 18: First notification sent to Apache
2011, February 21: Second notification sent to Apache
2011, February 22: WW-3579 JIRA ticket created
2011, February 22: Apache acknowledges receiving the report
2011, February 22: Apache acknowledges the vulnerabilities
2011, March 27: Apache Struts 2.2.2 test build released
2011, April 8: Apache Struts 2.2.3 test build released
2011, May 5: Apache Struts 2.2.3 general availability build released
2011, May 11: MVSA-11-006 advisory published.

Credits

Dr. Marian Ventuneac
http://www.ventuneac.net