DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=38749>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38749 Summary: XSS vulnerability in LookupDispatchAction Product: Struts Version: 1.2.8 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Extras AssignedTo: dev@struts.apache.org ReportedBy: [EMAIL PROTECTED] If the user supplies a parameter value which does not correspond to an entry in the lookupMap, then the supplied value is included in the resulting message passed back to the user. // Find the key for the resource String key = (String) lookupMap.get(keyName); if (key == null) { String message = messages.getMessage( "dispatch.resource", mapping.getPath(), keyName); throw new ServletException(message); } And the message template is: Servlet error: Action[{0}] missing resource '{1}' in key method map At this point, the path is safe (as it must correspond with a path from the Action), but the keyName is arbitrary user input. In the specific case we've got, http://localhost:8988/EDM-ViewController-context-root/browse.do?act=%3CSCRIPT% 3Ealert(%22XSS%22);%3C/SCRIPT%3E&select=1177281 produces the HTML: <HTML><HEAD><TITLE>500 Internal Server Error</TITLE></HEAD><BODY><H1>500 Internal Server Error</H1><PRE>Servlet error: Action[/browse] missing resource '<SCRIPT>alert("XSS");</SCRIPT>' in key method map</PRE></BODY></HTML> (Browsing the source code for 1.3, I think that DispatchAction and LookupDispatchAction in that version have the same problem.) -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]