Struts Error Message Cross Site Scripting

2005-11-21 / 2005-11-22
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Background ========== Struts is an open source framework for building web applications. The core of the Struts framework is a flexible control layer based on standard technologies such as Java Servlets, JavaBeans, resource bundles, and the Extensible Markup Language (XML). Struts can be used with different Java engines, such as WebLogic, TomCat, JRun, etc. Scope ===== After identifying in Struts an error message echoing the path back to the user, Hacktics has conducted a research of identifying a cross site scripting vulnerability in the implementation of this error on different application servers. The Finding =========== When attempting to access a non existent Struts action URL (including the Struts URL suffix, e.g. .do), the struts request handler generates an error echoing the path of the requested action. The mechanism generating this error does not perform sufficient input validation nor perform HTML encoding of the output, thus exposing the system, in some environments, to a Cross Site Scripting attack. For detailed description and exploit please visit http://www.hacktics.com/AdvStrutsNov05.html Versions Tested =============== Vulnerable Struts 1.2.7 Running on WebLogic 8.1 SP4 Struts 1.2.7 Running on WebLogic 8.1 SP5 Struts 1.2.7 Running on Resin Web Server Non Vulnerable Struts Running on Apache Tomcat 5.5.9 Struts Running on Apache Tomcat 5.5.12 Solution ======== The Apache Struts group has been notified of this vulnerability on November 3rd, and has fixed the problem in the new Struts release (1.2.8). Upgrading to the new version will eliminate the threat. Alternatively, a work around is available on existing versions by configuring the web server to display custom error messages rather than the default ones. ----------------------- Irene Abezgauz Application Security Consultant Hacktics Ltd. Mobile: +972-54-6545405 Web: http://www.hacktics.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top