Differences between revisions 2 and 3
Revision 2 as of 2005-11-30 15:01:37
Size: 2725
Comment:
Revision 3 as of 2009-09-20 23:12:36
Size: 2739
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 4: Line 4:
A ''Cross Site Scripting'' (XSS) vulnerabilty has been identified in Struts by [http://www.hacktics.com/ Hacktics.com]. For further information, see... A ''Cross Site Scripting'' (XSS) vulnerabilty has been identified in Struts by [[http://www.hacktics.com/|Hacktics.com]]. For further information, see...
Line 6: Line 6:
 * [http://en.wikipedia.org/wiki/XSS Wikipedia] - What is ''Cross Site Scripting''?
 * [http://www.hacktics.com/AdvStrutsNov05.html Hacktics.com Advisory] - Details of the threat to Struts
 * [[http://en.wikipedia.org/wiki/XSS|Wikipedia]] - What is ''Cross Site Scripting''?
 * [[http://www.hacktics.com/AdvStrutsNov05.html|Hacktics.com Advisory]] - Details of the threat to Struts
Line 21: Line 21:
 * Upgrade to [http://struts.apache.org/struts-doc-1.2.8/userGuide/release-notes.html Struts 1.2.8]  * Upgrade to [[http://struts.apache.org/struts-doc-1.2.8/userGuide/release-notes.html|Struts 1.2.8]]
Line 49: Line 49:
 * [http://struts.apache.org/struts-doc-1.2.8/userGuide/release-notes.html Struts 1.2.8 Release Notes]
 * [http://wiki.apache.org/struts/StrutsUpgrade Notes on Upgrading]
 * Download latest Struts [http://struts.apache.org/acquiring.html here]
 * [[http://struts.apache.org/struts-doc-1.2.8/userGuide/release-notes.html|Struts 1.2.8 Release Notes]]
 * [[http://wiki.apache.org/struts/StrutsUpgrade|Notes on Upgrading]]
 * Download latest Struts [[http://struts.apache.org/acquiring.html|here]]

Struts XSS Vulnerability

1. Information

A Cross Site Scripting (XSS) vulnerabilty has been identified in Struts by Hacktics.com. For further information, see...

2. Impact

The following GA quality versions of Struts are vulnerable:

  • Struts 1.0.x
  • Struts 1.1
  • Struts 1.2.4
  • Struts 1.2.7

N.B. i.e. Struts 1.2.8 and Struts 1.3.x do NOT have this vulnerability.

3. Solutions/Options

There are three possible courses of action users can take to guard against this vulnerability:

  • Configure an unknown Struts Action (Struts Version 1.1 onwards)

  • Upgrade to Struts 1.2.8

  • Configure your Servlet Container to use a Custom Error Page for 404 / Not Found errors

3.1 Configure an '''unknown''' Struts Action

From Struts 1.1 onwards it is possible to configure one action in the struts-config.xml for mappings which are Not Found. This action should be configure to forward to a custom error page (which doesn't include the Request's path!).

To do this you specify the unknown attribute on ONE of your action mappings and forward to a custom error page, for example...

   <struts-config>
       <action-mappings>
           <action forward="/CustomNotFoundError.jsp" unknown="true" />
       </action-mappings>
   </struts-config>

Ralph Hauser reports that the above "doesn't validate with the 1.2 DTD". I tried it in the struts-examples webapp for Struts 1.2.7 and it worked fine for me - niallp. However, if the above doesn't work, then add a "path" element to the action mapping:

   <struts-config>
       <action-mappings>
           <action path="/unknown" forward="/CustomNotFoundError.jsp" unknown="true" />
       </action-mappings>
   </struts-config>

3.2 Upgrading to Struts 1.2.8

Struts has been modified to remove this vulnerability in Struts 1.2.8. For further information on Struts 1.2.8, see:

3.3 Configure Servlet Container to use a '''Custom Error Page'''

Check your servlet container's documentation to see if you can configure a custom error page for 404 / Not Found status.

StrutsXssVulnerability (last edited 2009-09-20 23:12:36 by localhost)