7

My application is running struts 1.1 on tomcat 7.0.47. Whenever I request a jsp like this :

http://localhost:8080/myTestPage.jsp?lang=fr

The value lang=fr is automatically stored in cookies . Even if the jsp is not related to an action in the config, and contains only "eclipse jsp's template code".

This is a security issue as there is no controle over this parameter ( you can inject JS ).

How or why this parameter is stored ? This behavior applies only for the lang parameter .

Mehdi
  • 1,340
  • 15
  • 23
  • Can you give more info about your settings (tomcat?) how it saved and relevant code if any? – Ori Marko Aug 27 '18 at 15:14
  • In my case tomcat settings are vast, I cannot share the whole configuration due to Organizational policies.If you suspect any particular setting I can share it . – Mehdi Aug 27 '18 at 17:07
  • do you have '' in struts? – Ori Marko Aug 28 '18 at 05:03
  • I searched in the code, no. ( I Also edited the question ) – Mehdi Aug 28 '18 at 14:26
  • 1
    At what point do you display the `lang` parameter on the page making JS injection a problem? I mean, maybe it's Struts 1 (for which there is zero support because it's *old*-old), but anything coming from the user should be validated no matter what. In any case, why not just put in a filter? – Dave Newton Aug 28 '18 at 21:43
  • I do not display it, it is stored in session ( a cookie named lang ). I can intercept parameters if the request is made to an action, but when i call a single JSP I do not intercept anything. – Mehdi Aug 29 '18 at 02:11
  • @DaveNewton , I think it's an existing filter who persists the parameter in session, I'm trying to find it but it's a little complicated since many filters reside in other dependencies ... – Mehdi Sep 05 '18 at 21:09

2 Answers2

0

Sounds to me like your cookie interceptor is active in (your / one of your) config file, something like this:

<action ... >
   <interceptor-ref name="cookie">
      <param name="cookiesName">cookie1</param>
      <param name="cookiesValue">cookie1value</param>
   </interceptor-ref>
   <interceptor-ref name="cookie">
      <param name="cookiesName"<cookie2</param>
     <param name="cookiesValue">cookie2value</param>
   </interceptor-ref>
   ....
 </action>

Taken from this link: https://struts.apache.org/core-developers/cookie-interceptor.html

Raul Lapeira Herrero
  • 891
  • 5
  • 19
0

Finally I found the class causing the problem using the profiler (jvisualvm.exe) that comes with the JVM :

It has nothing to do with struts. It was a custom Tomcat Valve configured on the server.xml file ( server level ). That valve was in in a jar in /lib folder.

# server.xml
<Valve className="com.example.ValveExample" >

That explains why I couldnt find the class, it was not visible from the project classpath .

So what I did is just modify the valve source code to match the behavior I want, package the Jar and put it again in /lib .

Mehdi
  • 1,340
  • 15
  • 23