Background ========== Struts is an open source framework for building web applications. The core of the Struts framework is a flexible control layer based on standard technologies such as Java Servlets, JavaBeans, resource bundles, and the Extensible Markup Language (XML). Struts can be used with different Java engines, such as WebLogic, TomCat, JRun, etc. Scope ===== After identifying in Struts an error message echoing the path back to the user, Hacktics has conducted a research of identifying a cross site scripting vulnerability in the implementation of this error on different application servers. The Finding =========== When attempting to access a non existent Struts action URL (including the Struts URL suffix, e.g. .do), the struts request handler generates an error echoing the path of the requested action. The mechanism generating this error does not perform sufficient input validation nor perform HTML encoding of the output, thus exposing the system, in some environments, to a Cross Site Scripting attack. For detailed description and exploit please visit http://www.hacktics.com/AdvStrutsNov05.html Versions Tested =============== Vulnerable Struts 1.2.7 Running on WebLogic 8.1 SP4 Struts 1.2.7 Running on WebLogic 8.1 SP5 Struts 1.2.7 Running on Resin Web Server Non Vulnerable Struts Running on Apache Tomcat 5.5.9 Struts Running on Apache Tomcat 5.5.12 Solution ======== The Apache Struts group has been notified of this vulnerability on November 3rd, and has fixed the problem in the new Struts release (1.2.8). Upgrading to the new version will eliminate the threat. Alternatively, a work around is available on existing versions by configuring the web server to display custom error messages rather than the default ones. ----------------------- Irene Abezgauz Application Security Consultant Hacktics Ltd. Mobile: +972-54-6545405 Web: http://www.hacktics.com