[
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15217298#comment-15217298
]
Naozumi Taromaru commented on WW-4507:
--------------------------------------
The analysis of Rene (14/Jan/16 16:04) is wrong.
This vulnerability's one of cause is not JRE 1.5's URLDecoder, but old decoding
rule of UTF-8.
(This vulnerability's another cause is org.apache.struts2.components.Include
wrong implementation.)
byte array { 0xfc, 0x80, 0x80, 0x80, 0x80, 0xa2 }
decoding to String { U+0022 = '"' }
is old decoding rule of UTF-8.
Affected components are all decoding API of JDK.
URLDecoder is one of them, but it's not all of them.
For example...
InputStreamReader is one of them too.
new String(byte[], ...) is one of them too.
Therefore even if all codes using URLDecoder are fixed,
this vulnerability isn't fixed.
byte array { 0xfc, 0x80, 0x80, 0x80, 0x80, 0xa2 }
decoding to String { U+0022 = '"' }
is old decoding rule of UTF-8.
But,
String { U+00fc, U+0080, U+0080, U+0080, U+0080, U+00a2 }
changing to
String { U+0022 = '"' }
is caused by
org.apache.struts2.components.Include wrong implementation
and old decoding rule of UTF-8.
If org.apache.struts2.components.Include wrong implementation dosen't exist,
byte array { 0xfc, 0x80, 0x80, 0x80, 0x80, 0xa2 } in HTTP response.
(If XSS succeed, it's vulnerability of web browser.
When using a modern web browser at least, XSS doesn't succeed.)
org.apache.struts2.components.Include wrong implementation is
pageResponse.getContent().writeTo(writer, encoding);
and
pageResponse.getContent().writeTo(writer, systemEncoding); .
If
<%@ page contentType="text/html" %>
or
<%@ page contentType="text/html; charset=ISO-8859-1" %>
is written in JSP,
"pageResponse.getContent()" include ISO-8859-1(response.getCharacterEncoding())
byte sequense.
But org.apache.struts2.components.Include use another CharacterEncoding(default
is UTF-8) when decoding.
Therefore
pageResponse.getContent().writeTo(writer, response.getCharacterEncoding());
is correct.
> Struts 2 XSS vulnerability with <s:textfield>
> ---------------------------------------------
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.16.3
> Environment: Operating System: Windows 7. Application Server:
> JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts
> 2.3.16.3. Browser: FireFox 38.0.1
> Reporter: brian neisen
> Assignee: Rene Gielen
> Labels: struts2, vulnerability, xss
> Fix For: 2.3.28, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the
> <s:textfield> tag. When loading a url in a browser with some param name, in
> this case "myinput", and the jsp being loaded has the tag <s:textfield
> name="myinput" id="myinput"></s:textfield>, an alert message is popped open
> in the browser- which is WhiteHat's method of showing the vulnerability.
> Example url is:
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
