Apache Struts XWork 's:submit' HTML标签跨站脚本漏洞

2011-05-12T00:00:00
ID SSV:20538
Type seebug
Reporter Root
Modified 2011-05-12T00:00:00

Description

ugtraq ID: 47784 CVE ID:CVE-2011-1772

Apache Struts是一款建立Java web应用程序的开放源代码架构。 通过使用BASH语法的"<s:submit>"标签传递的Action或方法名,如果没有进行定义,在用于生成错误页面之前,XWork没有对其进行正确过滤。攻击者可以利用漏洞在目标用户浏览器上执行任意HTML和脚本代码。 成功利用漏洞需要启用Dynamic Method Invocation(默认启用)。

Apache Software Foundation Struts 2.2.1 1 Apache Software Foundation Struts 2.2 Apache Software Foundation Struts 2.1.8 .1 Apache Software Foundation Struts 2.1.8 Apache Software Foundation Struts 2.1.6 Apache Software Foundation Struts 2.1.5 Apache Software Foundation Struts 2.1.2 Apache Software Foundation Struts 2.1.1 Apache Software Foundation Struts 2.1.1 Apache Software Foundation Struts 2.1 Apache Software Foundation Struts 2.0.9 Apache Software Foundation Struts 2.0.8 Apache Software Foundation Struts 2.0.7 Apache Software Foundation Struts 2.0.6 Apache Software Foundation Struts 2.0.5 Apache Software Foundation Struts 2.0.4 Apache Software Foundation Struts 2.0.3 Apache Software Foundation Struts 2.0.2 Apache Software Foundation Struts 2.0.1 Apache Software Foundation Struts 2.0 Apache Software Foundation Struts 2.1.4 Apache Software Foundation Struts 2.1.3 厂商解决方案 Apache Software Foundation Struts 2.2.3已经修复此漏洞,建议用户下载使用: http://struts.apache.org/

                                        
                                            
                                                http://ssvdb.com/struts2-blank/home.action!login:cantLogin&lt;script&gt;alert(document.cookie)&lt;/script&gt;=some_value