[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-07-15 Thread Hudson (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15379441#comment-15379441
 ] 

Hudson commented on WW-4507:


SUCCESS: Integrated in Struts-JDK7-master #495 (See 
[https://builds.apache.org/job/Struts-JDK7-master/495/])
WW-4507 - clone Tomcat UDecoder and use it for in query string handling 
(lukaszlenart: rev 76f188406eb9f17a06afcb5f49f0c44d749da0d2)
* core/src/main/java/org/apache/struts2/util/tomcat/buf/HexUtils.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/ByteChunk.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/MessageBytes.java
* core/src/main/java/org/apache/struts2/util/URLDecoderUtil.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/Ascii.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/Utf8Decoder.java
* 
core/src/main/java/org/apache/struts2/dispatcher/mapper/Restful2ActionMapper.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/CharChunk.java
* core/src/main/java/org/apache/struts2/views/util/DefaultUrlHelper.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/B2CConverter.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/UDecoder.java
* core/src/test/java/org/apache/struts2/util/URLDecoderUtilTest.java
* 
core/src/main/java/org/apache/struts2/dispatcher/mapper/RestfulActionMapper.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/StringCache.java
WW-4507 - adjust Tomcat url decoding code to Log4j 2 logging used in 
(lukaszlenart: rev 4720f46a63caaf9db97ba27dc51ac5ad21e66bdc)
* core/src/main/java/org/apache/struts2/util/tomcat/buf/StringCache.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/UDecoder.java


> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>Assignee: Rene Gielen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.28, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-04-03 Thread Naozumi Taromaru (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15223734#comment-15223734
 ] 

Naozumi Taromaru commented on WW-4507:
--

I created new issue.
https://issues.apache.org/jira/browse/WW-4625

If WW-4507 and WW-4625 are different XSS vulnerability,
please write the hidden reproduction condition of WW-4507 to this(WW-4507) page.


> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>Assignee: Rene Gielen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.28, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-03-30 Thread Naozumi Taromaru (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15217857#comment-15217857
 ] 

Naozumi Taromaru commented on WW-4507:
--

> Historically we had many issues with solely relying on "standard" encoding 
> querying functions like
> response.getCharacterEncoding(). That's why the struts.i18n.encoding property 
> was introduced (originally even in
> webwork). With its help we force a user configurable encoding.
org.apache.struts2.components.Include$PageResponse#getWriter
use response.getCharacterEncoding() when encoding.
Therefore
org.apache.struts2.components.Include#include should use 
response.getCharacterEncoding() when decoding.

I don't usually use Struts2,
but I'm using the same encoding of request and response.
I usually use UTF-8 or Windows-31J. (Because I'm Japanese.)
I don't usually use ISO-8859-1.
So I understand that ISO-8859-1 isn't used.

I'm interested in cause of this XSS vulnerability,
because it's helpful for other lib checking.

I judged that it was org.apache.struts2.components.Include's issue
from the following information.

1. Example url is: 
[http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]
   (General query parameter is used. This parameter is decoded by AP Server.)

2.  is used.
   (Input value is sanitized when output.)

3. an alert message is popped open in the browser
   (XSS succeed.)

4. FireFox 38.0.1 is used.
   (There is no old UTF-8 decoding rule issue in Browser.)

5. jdk1.5.0.11 is used.
   (There is old UTF-8 decoding rule issue in JRE.)

6. "I was only able to reproduce when the page encoding was set to ISO-8859-1. 
When the page encoding is set to UTF-8 this xss issue it not reproducable." 
said Reporter(brian neisen).

Therefore I thought that Reporter(brian neisen) use  or 
JspTemplateEngine.

I made a comment,
because I succeeded in reproduction when I use Struts 2.3.28(Alternative 
Recommendation in S2-028).

Was there another issue which meets the condition above-mentioned?
If so, please tell me that hidden condition for reproduction.
If not so, Resolution of this issue should be changed to "Workaround" or "Won't 
Fix",
and S2-028 information page should be modified.

> Besides that, we recommend to use UTF-8 only. See also 
> https://struts.apache.org/docs/s2-028.html
"use UTF-8" is "Workaround" in this page.
If you recommend to use UTF-8 only even when Struts 2.3.28 is used,
this page should be modified.
("Alternatively upgrade to Struts 2.3.28" should be deleted.)

> But we also said: this is a platform issue, please move to a supported JRE.
If supported JRE dosen't contain the following JRE
・1.5.0_16 or before (using old UTF-8 decoding rule)
・1.6.0_10 or before (using old UTF-8 decoding rule)
and this issue is not fixed,
Resolution of this issue should be changed to "Workaround" or "Won't Fix",
and S2-028 information page should be modified.
("Alternatively upgrade to Struts 2.3.28" should be deleted.)


> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>Assignee: Rene Gielen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.28, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-03-30 Thread Rene Gielen (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15217656#comment-15217656
 ] 

Rene Gielen commented on WW-4507:
-

[~taromaru] I'm not sure if my analysis above is completely wrong. However, 
this is an interesting finding and I see your point.

Historically we had many issues with solely relying on "standard" encoding 
querying functions like response.getCharacterEncoding(). That's why the 
struts.i18n.encoding property was introduced (originally even in webwork). With 
its help we force a user configurable encoding.

Users are responsible for configuring consistent encoding, that is having page 
encoding match their Struts 2 setup. The best solution to your point is IMO to 
use consistent encoding both in page encoding, connector setup and 
struts.i18n.encoding. Besides that, we recommend to use UTF-8 only. See also 
https://struts.apache.org/docs/s2-028.html

This particular issue WW-4507 deals with a platform problem. After talking to 
the Tomcat guys, we agreed to add additional safety by using their encoding 
logic where applies to framework calls. But we also said: this is a platform 
issue, please move to a supported JRE. There is a reason why the old decoding 
rule was ditched, so we can only encourage our users to move to a modern and 
less buggy environment. 

If you feel like the Include component should use response.getCharacterEncoding 
rather than struts.i18n.encoding, you are invited to open a new issue to let us 
discuss this, along with possible implications.

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>Assignee: Rene Gielen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.28, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-03-29 Thread Naozumi Taromaru (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15217298#comment-15217298
 ] 

Naozumi Taromaru commented on WW-4507:
--

The analysis of Rene (14/Jan/16 16:04) is wrong.

This vulnerability's one of cause is not JRE 1.5's URLDecoder, but old decoding 
rule of UTF-8.
(This vulnerability's another cause is org.apache.struts2.components.Include 
wrong implementation.)

byte array { 0xfc, 0x80, 0x80, 0x80, 0x80, 0xa2 }
decoding to String { U+0022 = '"' }
is old decoding rule of UTF-8.

Affected components are all decoding API of JDK.
URLDecoder is one of them, but it's not all of them.
For example...
InputStreamReader is one of them too.
new String(byte[], ...) is one of them too.

Therefore even if all codes using URLDecoder are fixed,
this vulnerability isn't fixed.

byte array { 0xfc, 0x80, 0x80, 0x80, 0x80, 0xa2 }
decoding to String { U+0022 = '"' }
is old decoding rule of UTF-8.

But,
String { U+00fc, U+0080, U+0080, U+0080, U+0080, U+00a2 }
changing to
String { U+0022 = '"' }
is caused by
org.apache.struts2.components.Include wrong implementation
and old decoding rule of UTF-8.

If org.apache.struts2.components.Include wrong implementation dosen't exist,
byte array { 0xfc, 0x80, 0x80, 0x80, 0x80, 0xa2 } in HTTP response.
(If XSS succeed, it's vulnerability of web browser.
When using a modern web browser at least, XSS doesn't succeed.)


org.apache.struts2.components.Include wrong implementation is
pageResponse.getContent().writeTo(writer, encoding);
and
pageResponse.getContent().writeTo(writer, systemEncoding); .

If
<%@ page contentType="text/html" %>
or
<%@ page contentType="text/html; charset=ISO-8859-1" %>
is written in JSP,
"pageResponse.getContent()" include ISO-8859-1(response.getCharacterEncoding()) 
byte sequense.
But org.apache.struts2.components.Include use another CharacterEncoding(default 
is UTF-8) when decoding.

Therefore 
pageResponse.getContent().writeTo(writer, response.getCharacterEncoding());
is correct.


> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>Assignee: Rene Gielen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.28, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-03-29 Thread victorsosa (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15215799#comment-15215799
 ] 

victorsosa commented on WW-4507:


Please check Rene comment 

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>Assignee: Rene Gielen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.28, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-03-29 Thread Naozumi Taromaru (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15215689#comment-15215689
 ] 

Naozumi Taromaru commented on WW-4507:
--

I reproduced this issue. I use Struts 2.3.24.1 and 2.3.28.
Even Struts 2.3.28 isn't fixed yet.

This issue is that
%fc%80%80%80%80%a2 become '"' after  tag's process.
(If %fc%80%80%80%80%a2 become '"' before  tag's process, '"' 
become & quot; by  tag's process.)

The cause of this issue is
org.apache.struts2.components.Include#include.
(It's used by  and JspTemplateEngine.)

The included page is encoded by response character encoding(default is 
ISO-8859-1(ServletResponse)).
But encoded result is decoded by 'request' character encoding(default is 
UTF-8(@Inject(StrutsConstants.STRUTS_I18N_ENCODING))).

org.apache.struts2.components.Include#include use wrong character encoding when 
decoding.

See
org.apache.struts2.components.Include$PageResponse#getWriter
org.apache.struts2.components.Include#include

-
server.xml(Tomcat)
default.

struts.xml:
 is not set.

sample.jsp:
<%@ page contentType="text/html" %>
...


included.jsp:


Query parameter:
myinput=%fc%80%80%80%80%a2

1. Query parameter is decoded by Tomcat.(ISO-8859-1)
%fc%80%80%80%80%a2 -> String { U+00fc, U+0080, U+0080, U+0080, U+0080, U+00a2 }

2.  tag outputs String { U+00fc, U+0080, U+0080, U+0080, U+0080, 
U+00a2 }
String { U+00fc, U+0080, U+0080, U+0080, U+0080, U+00a2 }
(It dosen't contain U+0022( = '"').)

3. String { U+00fc, U+0080, U+0080, U+0080, U+0080, U+00a2 } is encoded by 
org.apache.struts2.components.Include(ISO-8859-1)
String { U+00fc, U+0080, U+0080, U+0080, U+0080, U+00a2 } -> byte array { 0xfc, 
0x80, 0x80, 0x80, 0x80, 0xa2 }

4. byte array { 0xfc, 0x80, 0x80, 0x80, 0x80, 0xa2 } is decoded by 
org.apache.struts2.components.Include(UTF-8)
byte array { 0xfc, 0x80, 0x80, 0x80, 0x80, 0xa2 } -> String { U+0022 = '"' }
(use JDK 1.5.0_11)


> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>Assignee: Rene Gielen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.28, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-03-03 Thread Lukasz Lenart (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15179365#comment-15179365
 ] 

Lukasz Lenart commented on WW-4507:
---

Great, thanks!

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>Assignee: Rene Gielen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.25, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-03-03 Thread Rene Gielen (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15178408#comment-15178408
 ] 

Rene Gielen commented on WW-4507:
-

[~lukaszlenart] done, sorra for not resolving the issue

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>Assignee: Rene Gielen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.25, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-03-03 Thread Lukasz Lenart (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15178248#comment-15178248
 ] 

Lukasz Lenart commented on WW-4507:
---

[~rgielen] is it done?

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>Assignee: Rene Gielen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.25, 2.5
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-01-14 Thread Rene Gielen (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15098308#comment-15098308
 ] 

Rene Gielen commented on WW-4507:
-

We can confirm now that this is a platform issue. Especially JRE 1.5's 
URLDecoder implementation seems to be broken to the point that this non-spec 
encoding isn't rejected / filtered. The current implementation of URLDecoder in 
JRE 1.8 seems to address all issues in this space, thus it is highly 
recommended to upgrade to JRE 1.8 for production environments

Some containers such as Tomcat and Jetty circumvent broken JRE URLDecoder 
implementations by providing their own decoder for dealing with request 
parameters. JBoss 4.2.1 does not seem to be in this space.

While upcoming Struts 2.3.25 will have improved handling for some edge cases 
where URLDecoder is called by using Tomcat's UDecoder solution, this will not 
address the specific issue mentioned here. To address this, one will either 
have to upgrade the JRE to a version with non-broken URLDecoder implementation 
(preferably JRE 1.8) or a container that circumvents calls to broken URLDecoder 
implementation calls in it's Servlet API implementation.

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.x
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-01-14 Thread Hudson (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15098189#comment-15098189
 ] 

Hudson commented on WW-4507:


SUCCESS: Integrated in Struts-JDK7-master #404 (See 
[https://builds.apache.org/job/Struts-JDK7-master/404/])
WW-4507 - clone Tomcat UDecoder and use it for in query string handling 
(rgielen: rev 72471d7075681bea52046645ad7aa34e9c53751e)
* core/src/main/java/org/apache/struts2/views/util/DefaultUrlHelper.java
* 
core/src/main/java/org/apache/struts2/dispatcher/mapper/RestfulActionMapper.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/HexUtils.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/UDecoder.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/MessageBytes.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/Ascii.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/B2CConverter.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/StringCache.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/Utf8Decoder.java
* core/src/main/java/org/apache/struts2/util/URLDecoderUtil.java
* 
core/src/main/java/org/apache/struts2/dispatcher/mapper/Restful2ActionMapper.java
* core/src/test/java/org/apache/struts2/util/URLDecoderUtilTest.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/ByteChunk.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/CharChunk.java
WW-4507 - adjust Tomcat url decoding code to Log4j 2 logging used in (rgielen: 
rev a89bbe22cd2461748d595a89a254de888a415e6c)
* core/src/main/java/org/apache/struts2/util/tomcat/buf/UDecoder.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/StringCache.java


> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.x
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-01-14 Thread Hudson (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15098169#comment-15098169
 ] 

Hudson commented on WW-4507:


SUCCESS: Integrated in Struts-JDK6-support-2.3 #955 (See 
[https://builds.apache.org/job/Struts-JDK6-support-2.3/955/])
WW-4507 - clone Tomcat UDecoder and use it for in query string handling 
(rgielen: rev 5421930b49822606792f36653b17d3d95ef106f9)
* core/src/main/java/org/apache/struts2/views/util/DefaultUrlHelper.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/Ascii.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/ByteChunk.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/HexUtils.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/StringCache.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/UDecoder.java
* 
core/src/main/java/org/apache/struts2/dispatcher/mapper/Restful2ActionMapper.java
* core/src/main/java/org/apache/struts2/util/URLDecoderUtil.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/MessageBytes.java
* core/src/test/java/org/apache/struts2/util/URLDecoderUtilTest.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/CharChunk.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/B2CConverter.java
* core/src/main/java/org/apache/struts2/util/tomcat/buf/Utf8Decoder.java
* 
core/src/main/java/org/apache/struts2/dispatcher/mapper/RestfulActionMapper.java


> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.x
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-01-14 Thread ASF subversion and git services (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15098163#comment-15098163
 ] 

ASF subversion and git services commented on WW-4507:
-

Commit a89bbe22cd2461748d595a89a254de888a415e6c in struts's branch 
refs/heads/master from [~rgielen]
[ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=a89bbe2 ]

WW-4507 - adjust Tomcat url decoding code to Log4j 2 logging used in Struts


> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.x
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-01-14 Thread ASF subversion and git services (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15098146#comment-15098146
 ] 

ASF subversion and git services commented on WW-4507:
-

Commit 72471d7075681bea52046645ad7aa34e9c53751e in struts's branch 
refs/heads/master from [~rgielen]
[ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=72471d7 ]

WW-4507 - clone Tomcat UDecoder and use it for in query string handling
(cherry picked from commit 5421930)


> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.x
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-01-14 Thread ASF subversion and git services (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15098141#comment-15098141
 ] 

ASF subversion and git services commented on WW-4507:
-

Commit 5421930b49822606792f36653b17d3d95ef106f9 in struts's branch 
refs/heads/support-2-3 from [~rgielen]
[ https://git-wip-us.apache.org/repos/asf?p=struts.git;h=5421930 ]

WW-4507 - clone Tomcat UDecoder and use it for in query string handling


> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.x
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2016-01-05 Thread Rene Gielen (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15082735#comment-15082735
 ] 

Rene Gielen commented on WW-4507:
-

I have tried to reproduce this with a page encoding of ISO-8859-1 on Tomcat 7, 
JDK 8, Struts 2.3.24.1, Chrome - to no success

Just to clarify: can we confirm that this is no general issue with ISO-8859-1 
page encoding usage? It looks to me like a very specific behaviour found in 
[~greaser...@gmail.com]'s setup, including the usage of an older Struts version 
which is no longer supported due to security fix upgrade policy?

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.x
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2015-10-08 Thread Lukasz Lenart (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14949882#comment-14949882
 ] 

Lukasz Lenart commented on WW-4507:
---

Thanks [~greaser...@gmail.com] - will prepare an announcement!

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.x
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2015-10-08 Thread brian neisen (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14948986#comment-14948986
 ] 

brian neisen commented on WW-4507:
--

Hi,  

The problem is related to the page encoding.  I was only able to reproduce when 
the page encoding was set to ISO-8859-1.  When the page encoding is set to 
UTF-8 this xss issue it not reproducable.

Thanks,

Brian

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
> Fix For: 2.3.x
>
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2015-09-08 Thread angelwhu (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14734348#comment-14734348
 ] 

angelwhu commented on WW-4507:
--

i use your environment . 
Application Server: JBoss-4.2.1.GA. Java: jdk1.5.0.11. Developloment Framework: 
Struts 2.3.16.3. Browser: FireFox 38.0.1 .  
but it only appear garbled and no any alert message.  does it depend any other 
key environment ?
and it is same to jetty , tomcat 7. no pop message.

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2015-08-31 Thread Lukasz Lenart (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14724867#comment-14724867
 ] 

Lukasz Lenart commented on WW-4507:
---

Looks like issue is related to container and proper encoding, on Jetty I see 
this
{noformat}
2015-09-01 
08:31:32.593:WARN:oeju.UrlEncoded:org.eclipse.jetty.util.Utf8Appendable$NotUtf8Exception:
 Not valid UTF8! byte Be in state 0
{noformat}

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2015-08-31 Thread angelwhu (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14724863#comment-14724863
 ] 

angelwhu commented on WW-4507:
--

struts version is 2.3.16.3. page encode is utf-8.

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2015-08-31 Thread Lukasz Lenart (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14724852#comment-14724852
 ] 

Lukasz Lenart commented on WW-4507:
---

[~angelwhu] Which Struts version do you use?

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (WW-4507) Struts 2 XSS vulnerability with

2015-08-31 Thread angelwhu (JIRA) 

[ 
https://issues.apache.org/jira/browse/WW-4507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14724705#comment-14724705
 ] 

angelwhu commented on WW-4507:
--

Does it depend on the server ?  i use tomcat 7, it doesn't work. 

> Struts 2 XSS vulnerability with 
> -
>
> Key: WW-4507
> URL: https://issues.apache.org/jira/browse/WW-4507
> Project: Struts 2
>  Issue Type: Bug
>Affects Versions: 2.3.16.3
> Environment: Operating System:  Windows 7.  Application Server:  
> JBoss-4.2.1.GA.  Java: jdk1.5.0.11.  Developloment Framework:  Struts 
> 2.3.16.3.  Browser:  FireFox 38.0.1
>Reporter: brian neisen
>  Labels: struts2, vulnerability, xss
>
> WhiteHat Security (whitehatsec.com) has found an xss vulnerability with the 
>  tag.   When loading a url in a browser with some param name, in 
> this case "myinput", and the jsp being loaded has the tag  name="myinput" id="myinput">, an alert message is popped open 
> in the browser- which is WhiteHat's method of showing the vulnerability.  
> Example url is: 
> [http://localhost:8080/sample.action?myinput=%fc%80%80%80%80%a2%fc%80%80%80%80%bE%FC%80%80%80%80%BC%FC%80%80%80%81%B7%FC%80%80%80%81%A8%FC%80%80%80%81%B3%FC%80%80%80%81%A3%FC%80%80%80%81%A8%FC%80%80%80%81%A5%FC%80%80%80%81%A3%FC%80%80%80%81%AB%FC%80%80%80%80%BE%fc%80%80%80%80%bCscript%fc%80%80%80%80%bEalert%fc%80%80%80%80%a81%fc%80%80%80%80%a9%fc%80%80%80%80%bC%fc%80%80%80%80%aFscript%fc%80%80%80%80%bE]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)