Struts 2
  1. Struts 2
  2. WW-3410

XSS vulnerability in


    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s:
    • Fix Version/s: 2.2.1
    • Component/s: None
    • Flags:
      Patch, Important


      WebWise Security has discovered a XSS vulnerability in Struts This particular vulnerability exists in and allows an attacker to execute arbitrary javascript that could be use to steal a user's session credentials or execute forced javascript redirects to phishing sites. This vulnerability manifests itself when the <s:url> tag is used with includeParams='all'.

      Let's say there is an action (myAction.action) that serves a JSP Page with the following snippet:
      <a href="<s:url includeParams="all"/>">My Link</a>

      Attack 1:

      This is very similiar to the vulnerability in Security Bulletin S2-002; however, the implemented fix for S2-002 only checks for "<script>", not "<sCript>".

      Attack 2:

      Simply checking for <script> isn't sufficient because certain attributes can be injected to execute javascript. In attack 2, the user simply has to hover over the link with their mouse and arbitrary javascript will be executed.

      I attached a possible fix as a patch. Essentially, both the key and value for a parameter must be escaped when creating the query string in


        Lukasz Lenart made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Lukasz Lenart made changes -
        Fix Version/s 2.2.1 [ 12315170 ]
        Fix Version/s 2.2.0 [ 12314680 ]
        Lukasz Lenart made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Assignee Lukasz Lenart [ lukaszlenart ]
        Fix Version/s 2.2.0 [ 12314680 ]
        Resolution Fixed [ 1 ]
        Sean Ford made changes -
        Field Original Value New Value
        Attachment URLHelper_XSS_Fix.patch [ 12439296 ]
        Sean Ford created issue -


          • Assignee:
            Lukasz Lenart
            Sean Ford
          • Votes:
            1 Vote for this issue
            2 Start watching this issue


            • Created: