Recent changes to bugs

HDIV struts 1.2.7 addHDIVParameter

pk808 — Mon, 08 Aug 2011 16:49:48 -0000

In method addHDIVParameter of FormTagHDIV.java, String hdivParameter is not used and so the HDIV parameter is not added. In other strut versions, hdivParameters is used like so: TagUtils.getInstance().write(pageContext, this.generateHiddenTag(hdivParameter, requestId));

HDIV Core validateStartPageParameters

pk808 — Mon, 08 Aug 2011 16:49:13 -0000

Method validate in Validation.java always returns true when validating parameters of an init page because the dataType passed to it from method validateStartPageParameters in AbstractValidatorHelper.java is always an empty string ("") and the component type is either "text" or "textarea". public boolean validate(String parameter, String[] values, String dataType) if (this.existComponentType() && (!this.isTheSameComponentType(dataType))) { return true; } public boolean validateStartPageParameters() if (!hdivConfig.areEditableParameterValuesValid(this.targetWithoutContextPath, parameter, values, "")) {

Vulnerability in HDIV struts2 showcase

Andres Riancho — Thu, 16 Apr 2009 18:50:28 -0000

I just found a way to exploit a permanent cross site scripting in the HDIV struts2 showcase application.

1- Install struts2-showcase-2.0.11.war
2- Click on "Person Manager"
3- Click on "Create Person"
4- Add a person with name "andres" and last name "riancho<script>alert(2)</script>".
5- Click on "List people"
6- A pop-up with a number 2 should appear.

Editable data is also important ;)

Andrés Riancho
http://www.bonsai-sec.com/