Struts1.x 跨站脚本(XSS)漏洞的解决

【前言】结婚真是一件麻烦的事情，尤其两个地域上差别比较大的两家人。想想繁琐的过程，还不如自己安静地享受单身的日子。

 

【参考】

http://android.blog.51cto.com/268543/113584

http://wiki.apache.org/struts/StrutsXssVulnerability

 

【正文】

一 演示XSS

   当访问一个不存在的网址时，例如 [url]http://localhost:8080/demo/noAction.do[/url],那么Struts处理后都会跳到提示“ Invalid path /noAtcion.do was requested”的页面。

   但如果我们访问的网址是 [url]http://localhost:8080/demo/<script>alert[/url]('ok')</script>.do，那么按道理，提示页面就会变成“ Invalid path /<script>alert('ok')</script>.do was requested”。很明显，这将会执行 <script>alert('ok')</script>这脚本，最终显示的内容就会把执行的脚本代码去掉，剩下 Invalid path /.do was requested。漏洞就在这里了，如果那脚本是有害的，另有企图的，那么...

二  解决方法
   尝试输入 [url]http://www.baidu.com/<script>alert[/url]('ok')</script>.html,将会提示该页面不存在，而不会像上面的提示那样。
   解决方法就在这里：设置专门处理404等error的页面。这是Struts官方网站提供的一种方法之一。
   而官方网站的wiki( [url]http://wiki.apache.org/struts/StrutsXssVulnerability[/url])还提供其他方法。

    1.升级到Struts 1.2.8版本
     Struts 1.2.8版本已经解决了这个XSS漏洞。而之前的版本都受到XSS漏洞的影响。

    2.配置"unknown" Struts Action
     如果客户端请求了struts-config.xml中没有定义的资源，Struts会丢出 404 Invalid path 的讯息，您可以撰写匿名的ActionMapping来提供自己的错误讯息：
 
    <action

      name="error"

      path="/unknown" 

      unknown="true" 
      forward="/WEB-INF/pages/error.jsp"/> 

   如果RequestProcessor遇到没有定义的Action请求，则会交由匿名的ActionMapping来处理。

   当然别忘了最简单的方法: 设置并指定自定义的 404/Not found处理网页。

——————————————————————————————————————————

下面是官方的处理方法：

Struts XSS Vulnerability

 

1. Information

A Cross Site Scripting (XSS) vulnerabilty has been identified in Struts by Hacktics.com. For further information, see...

• Wikipedia - What is Cross Site Scripting?

• Hacktics.com Advisory - Details of the threat to Struts

 

2. Impact

The following GA quality versions of Struts are vulnerable:

• Struts 1.0.x
• Struts 1.1
• Struts 1.2.4
• Struts 1.2.7

N.B. i.e. Struts 1.2.8 and Struts 1.3.x do NOT have this vulnerability.

 

3. Solutions/Options

There are three possible courses of action users can take to guard against this vulnerability:

• Configure an unknown Struts Action (Struts Version 1.1 onwards)

• Upgrade to Struts 1.2.8

• Configure your Servlet Container to use a Custom Error Page for 404 / Not Found errors

 

3.1 Configure an '''unknown''' Struts Action

From Struts 1.1 onwards it is possible to configure one action in the struts-config.xml for mappings which are Not Found. This action should be configure to forward to a custom error page (which doesn't include the Request's path!).

To do this you specify the unknown attribute on ONE of your action mappings and forward to a custom error page, for example...

 

   <struts-config>
       <action-mappings>
           <action forward="/CustomNotFoundError.jsp" unknown="true" />
       </action-mappings>
   </struts-config>

Ralph Hauser reports that the above "doesn't validate with the 1.2 DTD". I tried it in the struts-examples webapp for Struts 1.2.7 and it worked fine for me - niallp. However, if the above doesn't work, then add a "path" element to the action mapping:

   <struts-config>
       <action-mappings>
           <action path="/unknown" forward="/CustomNotFoundError.jsp" unknown="true" />
       </action-mappings>
   </struts-config>

 

3.2 Upgrading to Struts 1.2.8

Struts has been modified to remove this vulnerability in Struts 1.2.8. For further information on Struts 1.2.8, see:

• Struts 1.2.8 Release Notes

• Notes on Upgrading

• Download latest Struts here

 

3.3 Configure Servlet Container to use a '''Custom Error Page'''

Check your servlet container's documentation to see if you can configure a custom error page for 404 / Not Found status