[
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15217656#comment-15217656
]
Rene Gielen commented on WW-4507:
---------------------------------
[~taromaru] I'm not sure if my analysis above is completely wrong. However,
this is an interesting finding and I see your point.
Historically we had many issues with solely relying on "standard" encoding
querying functions like response.getCharacterEncoding(). That's why the
struts.i18n.encoding property was introduced (originally even in webwork). With
its help we force a user configurable encoding.
Users are responsible for configuring consistent encoding, that is having page
encoding match their Struts 2 setup. The best solution to your point is IMO to
use consistent encoding both in page encoding, connector setup and
struts.i18n.encoding. Besides that, we recommend to use UTF-8 only. See also
https://struts.apache.org/docs/s2-028.html
This particular issue WW-4507 deals with a platform problem. After talking to
the Tomcat guys, we agreed to add additional safety by using their encoding
logic where applies to framework calls. But we also said: this is a platform
issue, please move to a supported JRE. There is a reason why the old decoding
rule was ditched, so we can only encourage our users to move to a modern and
less buggy environment.
If you feel like the Include component should use response.getCharacterEncoding
rather than struts.i18n.encoding, you are invited to open a new issue to let us
discuss this, along with possible implications.
> Struts 2 XSS vulnerability with <s:textfield>
> ---------------------------------------------
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
> Issue Type: Bug
> Affects Versions: 2.3.16.3
> Environment: Operating System: Windows 7. Application Server:
> JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: Struts
> 2.3.16.3. Browser: FireFox 38.0.1
> Reporter: brian neisen
> Assignee: Rene Gielen
> Labels: struts2, vulnerability, xss
> Fix For: 2.3.28, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the
> <s:textfield> tag. When loading a url in a browser with some param name, in
> this case "myinput", and the jsp being loaded has the tag <s:textfield
> name="myinput" id="myinput"></s:textfield>, an alert message is popped open
> in the browser- which is WhiteHat's method of showing the vulnerability.
> Example url is:
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
