Struts XSS Vulnerability
1. Information
A Cross Site Scripting (XSS) vulnerabilty has been identified in Struts by Hacktics.com. For further information, see...
- Wikipedia - What is Cross Site Scripting?
- Hacktics.com Advisory - Details of the threat to Struts
2. Impact
The following GA quality versions of Struts are vulnerable:
- Struts 1.0.x
- Struts 1.1
- Struts 1.2.4
- Struts 1.2.7
N.B. i.e. Struts 1.2.8 and Struts 1.3.x do NOT have this vulnerability.
3. Solutions/Options
There are three possible courses of action users can take to guard against this vulnerability:
- Configure an unknown Struts Action (Struts Version 1.1 onwards)
- Upgrade to Struts 1.2.8
- Configure your Servlet Container to use a Custom Error Page for 404 / Not Found errors
3.1 Configure an unknown Struts Action
From Struts 1.1 onwards it is possible to configure one action in the struts-config.xml for mappings which are Not Found. This action should be configure to forward to a custom error page (which doesn't include the Request's path!).
To do this you specify the unknown attribute on ONE of your action mappings and forward to a custom error page, for example...
<struts-config> <action-mappings> <action forward="/CustomNotFoundError.jsp" unknown="true" /> </action-mappings> </struts-config>
Ralph Hauser reports that the above "doesn't validate with the 1.2 DTD". I tried it in the struts-examples webapp for Struts 1.2.7 and it worked fine for me - niallp. However, if the above doesn't work, then add a "path" element to the action mapping:
<struts-config> <action-mappings> <action path="/unknown" forward="/CustomNotFoundError.jsp" unknown="true" /> </action-mappings> </struts-config>
3.2 Upgrading to Struts 1.2.8
Struts has been modified to remove this vulnerability in Struts 1.2.8. For further information on Struts 1.2.8, see:
- Struts 1.2.8 Release Notes
- Notes on Upgrading
- Download latest Struts here
3.3 Configure Servlet Container to use a Custom Error Page
Check your servlet container's documentation to see if you can configure a custom error page for 404 / Not Found status.