Apache Struts 2 Cross Site Scripting

`  
  
Security Advisory: MVSA-11-006  
  
CVE: CVE-2011-1772  
  
Vendor: Apache Software Foundation  
  
Product: Struts 2 Framework  
  
Vulnerabilities: Multiple Reflected XSS in XWork error pages  
  
Risk: High  
  
Attack Vector: From Remote  
  
Authentication: Not Required  
  
References:   
- http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html   
- https://issues.apache.org/jira/browse/WW-3579  
- http://struts.apache.org/2.x/doc/s2-006.html   
  
  
Description  
  
Apache Struts 2 framework before version 2.2.3 is vulnerable to reflected Cross-Site Scripting (XSS) attacks when default XWork generated error messages are displayed. User provided data is not properly escaped before being included in XWork generated errors, thus allowing successful reflected XSS attacks as described below.  
  
1. XSS payload injected in the name of the requested Struts actions (Dynamic Method Invocation not enabled)  
  
http://test.app.net/home<img>.action  
  
2. Reflected XSS vulnerabilities in <s:submit> tag using bash syntax with Dynamic Method Invocation (DMI) enabled  
  
a. Reflected XSS via action attribute of <s:submit> tag  
  
http://test.app.net/home.action?user=&password=&action!login<script>alert(document.cookie)  
</script>:cantLogin=some_value  
  
b. Reflected XSS via method attribute of <s:submit> tag  
  
http://test.app.net/home.action?user=&password=&action!login:cantLogin<script>alert(document.cookie  
</script>=some_value  
  
  
Affected Versions  
  
All releases of Apache Struts 2 framework prior to 2.2.3 were found vulnerable to the above attacks.  
  
Other open source and commercial products using XWork framework could be vulnerable to similar attacks.   
  
WebWork framework released by OpenSymphony (http://opensymphony.org) was confirmed as vulnerable to the attacks described in this advisory.  
  
Mitigation  
  
It is recommended to upgrade to Apache Struts 2.2.3 released on 5th of May 2011, or to the latest available version.  
  
Alternatively, it is recommended to implement a custom error page (eg. error_page.jsp) which either uses proper output encoding to display XWork generated errors or displays a generic error message. An example of required configuration in struts.xml file is shown below:  
  
  
<global-results>  
<result name="error">/error_page.jsp</result>  
</global-results>  
<global-exception-mappings>  
<exception-mapping exception="java.lang.Exception" result="error"/>  
</global-exception-mappings>  
  
  
Disclosure Timeline  
  
2011, February 18: Vulnerabilities discovered and documented  
2011, February 18: First notification sent to Apache  
2011, February 21: Second notification sent to Apache  
2011, February 22: WW-3579 JIRA ticket created  
2011, February 22: Apache acknowledges receiving the report  
2011, February 22: Apache acknowledges the vulnerabilities  
2011, March 27: Apache Struts 2.2.2 test build released  
2011, April 8: Apache Struts 2.2.3 test build released  
2011, May 5: Apache Struts 2.2.3 general availability build released  
2011, May 11: MVSA-11-006 advisory published.  
  
Credits  
  
Dr. Marian Ventuneac  
http://www.ventuneac.net  
`