Bugzilla – Bug 385273
VUL-0: CVE-2008-2025: struts: XSS in Struts and probably other Java Apache projects
Last modified: 2017-08-02 11:56:15 UTC
Your friendly security team received the following report via vendor-sec. Please respond ASAP. The issue public status is a biut unclear, but feel free to talk to the Apache foundation. CVE-2008-2025 Date: Wed, 30 Apr 2008 15:25:18 +0200 From: Florian Weimer <fw@deneb.enyo.de> To: vendor-sec@lst.de Subject: Re: [vendor-sec] XSS in Struts and probably other Java Apache projects CC: coley@linus.mitre.org * Florian Weimer: > Struts 1, in the file > > taglib/src/main/java/org/apache/struts/taglib/html/BaseHandlerTag.java > > contains the following gem: > > /** > * Prepares an attribute if the value is not null, appending it to > the the > * given StringBuffer. > * > * @param handlers The StringBuffer that output will be appended to. > */ > protected void prepareAttribute(StringBuffer handlers, String name, > Object value) { > if (value != null) { > handlers.append(" "); > handlers.append(name); > handlers.append("=\""); > handlers.append(value); > handlers.append("\""); > } > } > > IOW, the content of "value" is passed through to the generated HTML > unencoded. This allows for cross-site scripting attacks (via "\">..." > strings). The same idiom has been reused in other Apache code. > > We[*] contacted the Apache software foundation (specifically, Mark > Thomas, via security@) in late August, but we couldn't establish contact > with the Struts team. The issue hasn't been acknowledged by the ASF. > > A patch looks like this (note that you can't really do much about a name > with bad characters; it's not permitted by the XML spec): > > --- a/taglib/src/main/java/org/apache/struts/taglib/html/BaseHandlerTag.java > +++ b/taglib/src/main/java/org/apache/struts/taglib/html/BaseHandlerTag.java > @@ -1156,9 +1156,9 @@ public abstract class BaseHandlerTag extends BodyTagSupport { > Object value) { > if (value != null) { > handlers.append(" "); > - handlers.append(name); > + handlers.append(TagUtils.getInstance().filter(name)); > handlers.append("=\""); > - handlers.append(value); > + handlers.append(TagUtils.getInstance().filter(value.toString())); > handlers.append("\""); > } > } > > As mentioned above, there is similar code in other places which would > need patching, too. > > AFAIK, some of the list members ship Struts packages, so maybe you are > interested in fixing this. Of course, the real-world impact will be > minimal because Java developers tend not to use the Java packages in > their distribution, but I still hope to get a fix into the ASF tree and > popularize the issue. Could I get a CVE for this, please? I think it's time to move this forward, so Debian will release something, probably in the second half of May, depending on how fast I can cough up a patch. Coordination with the Apache folks seems futile at this point. (The cited message was from October 29, 2007, and sparked no reaction, so there's apparently no need for any embargo. However, I think both IBM and Sun ship Struts code in examples in their J2EE stuff, and some GNU/Linux distros offer Struts packages allegedly under security support.)
From: Florian Weimer <fw@deneb.enyo.de> To: "Steven M. Christey" <coley@linus.mitre.org> Cc: vendor-sec@lst.de Subject: Re: [vendor-sec] XSS in Struts and probably other Java Apache projects Errors-To: vendor-sec-admin@lst.de Date: Wed, 07 May 2008 14:08:06 +0200 * Steven M. Christey: > On Wed, 30 Apr 2008, Florian Weimer wrote: > >> Could I get a CVE for this, please? I think it's time to move this >> forward, so Debian will release something, probably in the second half >> of May, depending on how fast I can cough up a patch. > > Use CVE-2008-2025 There's a similar issue in the Apache Struts/Portlets Bridge project (http://portals.apache.org/bridges/multiproject/portals-bridges-struts/). It's a different code base, so I'd like to get yet another CVE if possible. Thanks in advance! (These issues aren't public yet.)
the similar issue in Struts/Portlets is CVE-2008-2141
Are there any other informations? As I've looked to struts and there's many places, which are potentionally vulnerable by this XSS attack. I can start working on fix it, but if there's some work on the fix, it would be better to connect.
no further info yet. just hold back work on it for now, its not really that large a problem.
Marcus, what is the status here? This is ancient...
There still is no information, the CVE is still closed, so no one released updates. Either we fix this ourselves or continue to wait for upstream.
Created attachment 258537 [details] patches!
satisfies needinfo :)
The part of CVE-2008-2025 patch is probably wrong. @@ -599,9 +600,10 @@ public class FormTag extends TagSupport { protected void renderAttribute(StringBuffer results, String attribute, String value) { if (value != null) { results.append(" "); - results.append(attribute); + if (attribute.indexOf('"') >= 0) + throw new IllegalArgumentException("quote character in attribute name"); results.append("=\""); - results.append(value); + results.append(ResponseUtils.filterIfQuote(value)); results.append("\""); } } The results.append(attribute); was completelly removed from code, so call renderAttribute(result, "foo", "bar"); will produce a broken HTML code - " =\"bar\"" - in result. Can you tell that to the original author?
I'll bounce you the mail from Florian. Feel free to reply directly (including vendor-sec).
Submitted fixed packages
is this public (i.e. can it go into factory) ?
I've asked the reporter but no reply yet
I am testing the maintenance update. Is there any exploit? I mean I understand what the problem is but since I never worked with struts before, I'd take some time. So simple exploit (or just small howto) would be appreciated. TIA
no idea on my side... Michal?
Me too :(. I'll take a look on Monday.
Not needed anymore, I've just found out. Preparing exploit...
Seems that I was too quick :( I've found out how to exploit if I can write some "evil" string directly into jsp source. Then I am able to see whether the struts objects checks the evil value and replace '"'s in it. I can do - enctype will esult in XSS: <html:form action="insertEmployee" focus="name" enctype="\"><span class=\"error\">FormTag test failed.</span>"> <table> <tr> <td >Name:</td> <td><html:text property="name"/></td> </tr> </table> <html:submit>Submit</html:submit> </html:form> So I have two questions/notes: 1. How to put the evil value to struts objects' arguments from outside? Drom other sources it seems that instead of argument="string" i can do argument="${variable}". So it seems that I can get any value from user (if the value is in some variable) into the agrument. Is it correct? If not, I haven't founbd the way to exploit the vulnerability (and I would appreciate any help). 2. OTOH if the vulnerability is just the argument="${variable}" as described above, then the fix seems to be *incomplete* since there are struts objects with arguments which are not checked! e.g.ImgTag.src, which is exploitebale with: <html:img src="\"><span class=\"error\">ImgTag test failed.</span>"> Am I right (if so, other tags need to be fixed as well and I should reject the current update)?
michal?
I resent a question to Florian Weimer (with Lukas in CC). Hopefully he'll helps.
did you get an answer yet?
I prepared a simple exploit to demonstrate this vulnerability. Let's have a simple JSP page with struts tag img (it's derived from BaseHandlerTag [1]): ------------------------------------------------------------------ <%@ taglib uri="/tags/struts-html" prefix="html" %> <html> <head> <title>CVE-2008-2025 exploit test</title> </head> <body> <html:img src="noone.gif" alt="<%= request.getParameter("alt") %>"/> </body> </html> ------------------------------------------------------------------ Then call it with a GET parameter begining with double quote. For example: ?alt="<script type="text/javascript">alert ("Got ja!!");</script> The unpatched struts copied the string to parameter title and the resulted HTML code will be: <img src="noone.gif" alt=""<script type="text/javascript">alert ("Got ja!!");</script>"/> This will be interpreted by browser as a javascript and executed, so the message box with Got ja!! will be raised. The patched struts filters quotes, so the result will be <img src="noone.gif" alt=""<script type="text/javascript">alert ("Got ja!!");</script>"> and this is properly considered as a parameter of html tag IMG and the content will be shown on webpage. I'll upload the war file which should be used for test. [1] http://struts.apache.org/1.x/struts-taglib/apidocs/org/apache/struts/taglib/html/package-summary.html#package_description
Created attachment 280214 [details] The simple exploit for struts How to test: 1.) zypper install tomcat6 struts 2.) mkdir -p /var/cache/tomcat6/Catalina; ln -sf /var/cache/tomcat6/Catalina /etc/tomcat6/Catalina (see bug#424675 - it's for proper deploy of META-INF/context.xml which allows symlinks) 3.) Run tomcat6 4.) Copy a war to /usr/share/tomcat6/webapps/ 5.) Wait on deploy (tail -F /usr/share/tomcat6/logs/catalina.out) Type a http://localhost:8080/bnc385273/ - you will be redirected to Welcome.do page with instructions. For test, just click on the link. As many distribution contains a patched struts, I added an struts-unpatched.jar for successful test of vulnerability. To replace it, just cp struts-unpatched/struts-unpatched.jar WEB-INF/lib/struts.jar touch WEB-INF/web.xml then click again on link and the message box will be shown.
Thanks for the code. I've modified your page to the following and call it with GET arguments ?src=" "><script>alert("Hi-src!")</script>"&alt=" "><script>alert("Hi-alt!")</script>"&enc=" "><script>alert("Hi-enc!")</script>" <%@ taglib prefix="html" uri="http://struts.apache.org/tags-html" %> <html> <head> <title>CVE-2008-2025 exploit test</title> </head> <body> <html:img src="<%= request.getParameter("src") %>"/> <html:img src="file.jpg" alt="<%= request.getParameter("alt") %>"/> <html:form action="insertEmployee" focus="name" enctype="<%= request.getParameter("enc") %>"> <table> <tr> <td >Name:</td> <td><html:text property="name"/></td> </tr> </table> <html:submit>Submit</html:submit> </html:form> </body> </html> If I run the page on unpatched struts, I get all three popup - so all three tags arguments are unchecked. But if I run it on patched struts sles10-sp2, only Hi-alt and Hi-src popups are displayed. Maybe on other sles versions '"' are replaced with " in html:img tag, but definitely not in sles10-sp2 therefore what I wrote in comment#20 (part2) is true and the patch is incomplete:( Am I missing something?
Sorry, I tested it on tomcat6 from Factory. I'll retest it on sle10-sp2.
The fix works only on struts 1.2.9 (all openSUSE and SLE11), but not in struts 1.2.4 on SLE10-SP2. Please stop current maintenance update for SLE10-SP2. I'm going to fix it for struts 1.2.4 properly.
Created attachment 281851 [details] The patch for struts 1.2.4 from SLE10-SP2 This is a fixed patch for SLE10-SP2 - the 1.2.4 has more places needs to be fixed, than 1.2.9, which uses a subclasses.
Created attachment 281854 [details] The exploit with a fixed struts.jar for SLE10-SP2 This is a same exploit used by llipavsky before. Only one difference is in struts.jar, which comes from patched version for SLE10-SP2. All tags parameters are properly quoted using " and no Javascript alert is displayed on page rendered by this version of struts. How to run (same as a previous exploit): export CATALINA_HOME="/usr/share/tomcat5" export CATALINA_BASE="/srv/www/tomcat5/base/" ant war URL is: http://host:8080/exploit2-patched2/?src=""><script>alert("Hi-src!")</script>"&alt=""><script>alert("Hi-alt!")</script>"&enc=" "><script>alert("Hi-enc!")</script>"
submitted fixed package struts for SLE10-SP2 and reassigning back to the security team
Update released for: struts, struts-javadoc, struts-manual, struts-webapps-tomcat5, struts-webapps-tomcat6 Products: openSUSE 10.3 (i386) openSUSE 11.0 (i386) openSUSE 11.1 (debug, i586)
released
Update released for: struts, struts-javadoc, struts-manual, struts-webapps-tomcat5 Products: SLE-SDK 10-SP2 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP2 (i386, ia64, ppc, s390x, x86_64)
Looks like we missed sle11. Michal, could you submit struts for sle11 as well please?
fixed struts for sle11 submitted.
... and released. Thanks.
open some private comments so vincent can see them