Recent changes to bugs

HDIV struts 1.2.7 addHDIVParameter

2011-08-08T16:49:48Z

In method addHDIVParameter of FormTagHDIV.java, String hdivParameter is not used and so the HDIV parameter is not added. In other strut versions, hdivParameters is used like so: TagUtils.getInstance().write(pageContext, this.generateHiddenTag(hdivParameter, requestId));

HDIV Core validateStartPageParameters

2011-08-08T16:49:13Z

Method validate in Validation.java always returns true when validating parameters of an init page because the dataType passed to it from method validateStartPageParameters in AbstractValidatorHelper.java is always an empty string ("") and the component type is either "text" or "textarea". public boolean validate(String parameter, String[] values, String dataType) if (this.existComponentType() && (!this.isTheSameComponentType(dataType))) { return true; } public boolean validateStartPageParameters() if (!hdivConfig.areEditableParameterValuesValid(this.targetWithoutContextPath, parameter, values, "")) {

Vulnerability in HDIV struts2 showcase

2009-04-16T18:50:28Z

I just found a way to exploit a permanent cross site scripting in the HDIV struts2 showcase application.

1- Install struts2-showcase-2.0.11.war
2- Click on "Person Manager"
3- Click on "Create Person"
4- Add a person with name "andres" and last name "riancho<script>alert(2)</script>".
5- Click on "List people"
6- A pop-up with a number 2 should appear.

Editable data is also important ;)

Andrés Riancho
http://www.bonsai-sec.com/