|Home > Security Bulletins > S2-006|
Multiple Cross-Site Scripting (XSS) in XWork generated error pages
|Who should read this||All Struts 2 developers|
|Impact of vulnerability||Injection of malicious client side code|
|Maximum security rating||Important|
|Recommendation||Developers should either upgrade to Struts 2.2.3 or apply the configuration changes described below|
|Affected Software||Struts 2.0.0 - Struts 126.96.36.199|
|Original JIRA Tickets||WW-3579|
|Reporter||Dr. Marian Ventuneac, Genworth|
By default, XWork doesn't escape action's names in automatically generated error page, allowing for a successful XSS attack. When Dynamic Method Invocation (DMI) is enabled, the action name is generated dynamically base on request parameters. This allows to call non-existing page and method to produce error page with injected code as below
A more detailed description is found in the referenced JIRA ticket.
As of Struts 2.2.3 the action names are escaped when automatically generated error pages are rendered.
When staying with earlier releases, developers should either
You can obtain Struts 2.2.3 here.