Uploaded image for project: 'Struts 2'
  1. Struts 2
  2. WW-3597

XSS vulnerability in javatemplates plugin

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.2.1.1
    • 2.2.3
    • Plugin - Java Templates
    • None
    • Important

    Description

      Many of the component handlers do not escape the value attribute. In fact they have been deliberately set to not escape their output. This enables reflective XSS on any page which uses the struts tags where the value is not manually escaped.

      The javatemplates plugin is increasingly being used instead of the default Freemarker renderer because of its performance benefits. The Freemarker renderer escapes values correclty therefore switching over to the javatemplates plugin can automatically make your website vulnerable.

      Also, the documentation should make it very clear which attributes are not encoded, for example, the anchor tag's href attribute is not encoded, therefore if you don't use the url tag to construct your url, then you need to make sure you escape any untrusted data you use to construct the url.

      I have updated all of the javatemplates plugins' tag handlers to be consistent with the Freemarker renderer and will attach a patch.

      Attachments

        1. javatemplates-xss.patch
          8 kB
          Gareth Faires

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. WW-3608 Java Template defaults to opening up a XSS vulnerability

          • Major - Major loss of function.
          • Closed

          Activity

            People

              maurizio.cucchiara Maurizio Cucchiara
              gfaires Gareth Faires
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: