DO NOT REPLY [Bug 38749] New: - XSS vulnerability in LookupDispatchAction

Wed, 22 Feb 2006 03:13:54 -0800 

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38749>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38749

           Summary: XSS vulnerability in LookupDispatchAction
           Product: Struts
           Version: 1.2.8
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Extras
        AssignedTo: dev@struts.apache.org
        ReportedBy: [EMAIL PROTECTED]


If the user supplies a parameter value which does not correspond to an entry in 
the lookupMap, then the supplied value is included in the resulting message 
passed back to the user.

        // Find the key for the resource
        String key = (String) lookupMap.get(keyName);
        if (key == null) {
            String message = messages.getMessage(
                    "dispatch.resource", mapping.getPath(), keyName);
            throw new ServletException(message);
        }

And the message template is:
        Servlet error: Action[{0}] missing resource '{1}' in key method map

At this point, the path is safe (as it must correspond with a path from the 
Action), but the keyName is arbitrary user input.

In the specific case we've got,
  http://localhost:8988/EDM-ViewController-context-root/browse.do?act=%3CSCRIPT%
3Ealert(%22XSS%22);%3C/SCRIPT%3E&amp;select=1177281

produces the HTML:
  <HTML><HEAD><TITLE>500 Internal Server Error</TITLE></HEAD><BODY><H1>500 
Internal Server Error</H1><PRE>Servlet error: Action[/browse] missing resource 
'<SCRIPT>alert("XSS");</SCRIPT>' in key method map</PRE></BODY></HTML>

(Browsing the source code for 1.3, I think that DispatchAction and 
LookupDispatchAction in that version have the same problem.)

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to